Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32932

CVE-2026-32932: Chamilo LMS Open Redirect Vulnerability

CVE-2026-32932 is an open redirect flaw in Chamilo LMS that redirects authenticated administrators to malicious URLs and leaks session data. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-32932 Overview

CVE-2026-32932 is an Open Redirect vulnerability discovered in Chamilo LMS, a widely-used open-source learning management system. The vulnerability exists in the session course edit page and allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. Additionally, this redirect leaks the id_session parameter to the attacker's controlled server, potentially exposing sensitive session information.

Critical Impact

Authenticated administrators can be redirected to malicious external URLs, with session identifiers leaked to attacker-controlled servers, enabling potential phishing attacks and session information disclosure.

Affected Products

  • Chamilo LMS versions prior to 1.11.38
  • Chamilo LMS versions prior to 2.0.0-RC.3

Discovery Timeline

  • 2026-04-10 - CVE-2026-32932 published to NVD
  • 2026-04-13 - Last updated in NVD database

Technical Details for CVE-2026-32932

Vulnerability Analysis

This Open Redirect vulnerability (CWE-601) exists within the session course edit functionality of Chamilo LMS. The vulnerability arises from improper validation of user-supplied redirect URLs in the coach assignment workflow. When an administrator saves changes to coach assignments within a session course, the application fails to properly validate the destination URL parameter, allowing redirection to arbitrary external domains.

The attack is particularly concerning because it targets authenticated administrators who have elevated privileges within the LMS platform. The exploitation requires user interaction (clicking a malicious link), but the attack leverages the trust relationship between administrators and the Chamilo platform. Since the redirect occurs after a legitimate save operation, administrators may not immediately recognize the malicious redirection.

Root Cause

The root cause of this vulnerability is insufficient URL validation in the redirect logic within the session course edit page. The application accepts and processes user-controlled redirect parameters without properly verifying that the destination URL is within the application's trusted domain whitelist. This allows attackers to craft URLs that redirect to external, potentially malicious websites while also leaking the id_session parameter as part of the redirect request.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker crafts a malicious URL targeting the session course edit page with a specially crafted redirect parameter pointing to an attacker-controlled server. When an authenticated administrator clicks this link and completes the coach assignment save operation, they are redirected to the attacker's server. The redirect URL includes the id_session parameter, which leaks session-related information to the attacker.

This type of attack is commonly used in phishing campaigns where the attacker can present a fake login page or credential harvesting form after the redirect, leveraging the administrator's trust in the legitimate Chamilo domain appearing in the initial URL.

Detection Methods for CVE-2026-32932

Indicators of Compromise

  • Outbound HTTP/HTTPS requests from the Chamilo server to unexpected external domains following session course edit operations
  • Web server access logs showing redirect parameters containing external URLs in session course edit endpoints
  • Reports from users or administrators about unexpected redirects after saving coach assignments

Detection Strategies

  • Monitor web application firewall (WAF) logs for URL parameters containing external domains in session management endpoints
  • Implement content security policy (CSP) headers to detect and report unauthorized redirects
  • Review access logs for patterns indicating redirect manipulation attempts, particularly targeting administrative session endpoints

Monitoring Recommendations

  • Enable detailed logging for the session course edit functionality to track redirect behavior
  • Configure alerting for any outbound redirects to non-whitelisted domains originating from administrative pages
  • Implement user behavior analytics to detect anomalous administrator activity patterns

How to Mitigate CVE-2026-32932

Immediate Actions Required

  • Upgrade Chamilo LMS to version 1.11.38 or later for the 1.x branch
  • Upgrade Chamilo LMS to version 2.0.0-RC.3 or later for the 2.x branch
  • Review administrator accounts for any signs of compromise or unauthorized access
  • Educate administrators about the risks of clicking untrusted links

Patch Information

The vulnerability has been fixed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3. The patches implement proper URL validation to ensure redirects only occur to trusted destinations within the application domain.

Relevant commits addressing this vulnerability:

For complete details, refer to the GitHub Security Advisory.

Workarounds

  • Implement a web application firewall (WAF) rule to block or sanitize redirect parameters containing external URLs
  • Restrict administrative access to the session course edit functionality to trusted network segments only
  • Train administrators to verify URLs before clicking and to access Chamilo directly rather than through email links

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.