CVE-2026-33618 Overview
CVE-2026-33618 is a Code Injection vulnerability in Chamilo LMS, an open-source learning management system. The vulnerability exists in the PlatformConfigurationController::decodeSettingArray() method, which uses PHP's dangerous eval() function to parse platform settings retrieved from the database. An attacker who has gained admin access can inject arbitrary PHP code into platform settings. This malicious code is then executed when any user—including unauthenticated visitors—requests the /platform-config/list endpoint, resulting in remote code execution on the server.
Critical Impact
This vulnerability allows authenticated attackers with admin privileges to achieve arbitrary PHP code execution affecting all users, including unauthenticated visitors accessing the platform configuration endpoint.
Affected Products
- Chamilo LMS versions prior to 2.0.0-RC.3
Discovery Timeline
- April 10, 2026 - CVE-2026-33618 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33618
Vulnerability Analysis
This vulnerability is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, also known as Eval Injection). The core issue lies in the use of PHP's eval() function to process platform settings stored in the database. The eval() function executes arbitrary PHP code passed to it as a string, making it extremely dangerous when processing user-controllable data.
In the vulnerable implementation, the decodeSettingArray() method attempted to handle settings that were stored as PHP array code strings by evaluating them directly. This design pattern creates a critical attack surface—if an attacker can control the data stored in platform settings (which administrators can), they can inject malicious PHP code that will be executed server-side.
The attack surface is particularly concerning because the vulnerable endpoint /platform-config/list is accessible to unauthenticated users, meaning that once the malicious code is injected by an admin, it executes whenever anyone accesses this public endpoint.
Root Cause
The root cause is the use of PHP's eval() function to parse platform settings that may be stored as PHP array code strings in the database. This approach violates the principle of never executing data as code, especially when that data originates from a potentially compromised storage layer. The developers likely implemented this for backward compatibility or convenience when handling legacy array format settings, but it introduced a critical code injection vulnerability.
Attack Vector
The attack requires network access and exploits the application's trust in database-stored settings. An attacker who has obtained admin privileges (potentially through a separate vulnerability referenced as "Advisory 1" in the security disclosure) can:
- Access the Chamilo LMS admin panel
- Inject malicious PHP code into a platform setting field
- The malicious payload persists in the database
- When any user (authenticated or not) requests /platform-config/list, the vulnerable decodeSettingArray() method processes the setting
- The eval() function executes the injected PHP code with the web server's privileges
The following code snippet shows the security patch that was applied to fix this vulnerability:
* Attempts to decode a setting value that may be stored as:
* - native PHP array
* - JSON string
- * - PHP array code string
*/
private function decodeSettingArray(mixed $setting): array
{
Source: GitHub Commit
The patch removes support for parsing PHP array code strings, eliminating the need for eval() and restricting settings to native PHP arrays or JSON strings only.
Detection Methods for CVE-2026-33618
Indicators of Compromise
- Unusual PHP code patterns stored in the Chamilo platform settings database table
- Unexpected outbound network connections originating from the web server
- Suspicious processes spawned by the PHP/web server process
- Web server error logs containing PHP eval-related errors or execution traces
- Anomalous modifications to platform configuration settings by admin accounts
Detection Strategies
- Monitor for suspicious requests to /platform-config/list endpoint with unusual response times or sizes
- Implement database integrity monitoring to detect unauthorized changes to platform settings
- Deploy web application firewalls (WAF) with rules to detect PHP code injection patterns
- Review admin account activity logs for unauthorized or suspicious configuration changes
- Implement file integrity monitoring on the Chamilo installation to detect webshell deployments
Monitoring Recommendations
- Enable comprehensive logging for all admin panel activities and configuration changes
- Configure SIEM rules to alert on unusual patterns in PHP error logs
- Monitor for new file creation in web-accessible directories
- Implement network egress monitoring to detect reverse shell connections or data exfiltration
How to Mitigate CVE-2026-33618
Immediate Actions Required
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
- Review admin account access and revoke unnecessary privileges
- Audit platform settings database for any suspicious PHP code patterns
- Review web server and application logs for signs of exploitation
- Reset credentials for all admin accounts as a precautionary measure
Patch Information
The vulnerability has been addressed in Chamilo LMS version 2.0.0-RC.3. The security fix removes the dangerous eval() call from the decodeSettingArray() method by eliminating support for PHP array code string formats. Settings are now restricted to native PHP arrays or JSON strings, which can be safely parsed without code execution.
Detailed patch information is available in the GitHub Security Advisory GHSA-hp4w-jmwc-pg7w and the commit that implements the fix.
Workarounds
- Restrict access to the /platform-config/list endpoint at the web server level if not required for public access
- Implement strict admin account access controls and multi-factor authentication
- Deploy a web application firewall to filter potentially malicious requests
- Consider isolating the Chamilo LMS application in a containerized environment with minimal privileges
# Example: Restrict access to the vulnerable endpoint via Apache .htaccess
# Add to .htaccess in Chamilo root directory
<Location "/platform-config/list">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
