CVE-2026-33141 Overview
CVE-2026-33141 is an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS, an open-source learning management system. Prior to version 2.0.0-RC.3, the REST API stats endpoint contains an authorization flaw that allows any authenticated user—including low-privilege students with ROLE_USER—to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship.
Critical Impact
Authenticated users can access sensitive academic data belonging to other users, including grades, learning progress, and certificates, leading to significant privacy violations and potential academic integrity concerns.
Affected Products
- Chamilo LMS versions prior to 2.0.0-RC.3
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-33141 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-33141
Vulnerability Analysis
This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), a common weakness pattern where applications fail to properly verify that the current user is authorized to access the requested resource. In the context of Chamilo LMS, the REST API stats endpoint accepts user-controlled parameters to query user statistics but fails to validate whether the requesting user has the appropriate relationship (such as enrollment in the same course or a supervisory role) to access the target user's data.
The vulnerability is network-exploitable and requires only low-privilege authentication. Any user with a valid session—including students with minimal ROLE_USER permissions—can manipulate API requests to retrieve sensitive academic information belonging to other users. This includes learning progress tracking, issued certificates, and gradebook scores across all courses.
Root Cause
The root cause is insufficient authorization checks in the REST API stats endpoint. The application accepts user identifiers directly from request parameters and retrieves the corresponding data without validating the relationship between the authenticated user and the target user. This classic IDOR pattern allows horizontal privilege escalation, enabling users to access data belonging to other users at the same privilege level.
Attack Vector
The attack vector is network-based and requires low-privilege authentication. An attacker would:
- Authenticate to the Chamilo LMS instance with any valid user account (even a basic student account)
- Identify or enumerate valid user IDs within the system
- Craft API requests to the stats endpoint with arbitrary user IDs
- Retrieve learning progress, certificates, and gradebook data for any user in the system
The vulnerability can be exploited by manipulating user identifier parameters in API requests to the stats endpoint. By iterating through user IDs, an attacker could systematically extract academic records for all users in the system. Technical details are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-33141
Indicators of Compromise
- Unusual API access patterns to stats endpoints with multiple different user IDs from a single session
- High volume of requests to REST API endpoints querying user statistics
- Access logs showing authenticated users requesting data for user IDs they have no relationship with
- Error logs indicating authorization boundary violations or access denials
Detection Strategies
- Monitor API access logs for patterns where a single authenticated user queries statistics for multiple different user IDs
- Implement anomaly detection for users accessing data outside their enrolled courses or supervisory scope
- Review authentication and authorization logs for unusual sequential user ID queries
- Deploy web application firewall rules to detect parameter manipulation attacks on REST API endpoints
Monitoring Recommendations
- Enable verbose logging on REST API endpoints, particularly those handling user statistics and academic data
- Configure alerting for high-volume API requests from individual user sessions
- Implement user behavior analytics to identify access patterns inconsistent with normal student or instructor activity
- Regularly audit API access logs for evidence of enumeration attacks or unauthorized data access
How to Mitigate CVE-2026-33141
Immediate Actions Required
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
- Audit API access logs for evidence of exploitation or unauthorized data access
- Review user accounts for suspicious activity patterns targeting the stats endpoint
- Consider temporarily restricting access to the affected REST API endpoint until patching is complete
Patch Information
This vulnerability is fixed in Chamilo LMS version 2.0.0-RC.3. The fix is available in the GitHub commit 792ba059. Organizations should upgrade to the patched version as soon as possible. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement additional access control at the web server or reverse proxy level to restrict access to the affected API endpoint
- Deploy a web application firewall (WAF) with rules to detect and block parameter tampering on user ID fields
- Restrict access to the REST API to only trusted network segments or authenticated administrative users until patching is possible
- Monitor and alert on any access to the stats API endpoint while awaiting the upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
