CVE-2026-33702: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-33702 Overview

CVE-2026-33702 is an Insecure Direct Object Reference (IDOR) vulnerability discovered in Chamilo LMS, a popular open-source learning management system. The vulnerability exists in the Learning Path progress saving endpoint (lp_ajax_save_item.php), which accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress without verifying that the requesting user matches the target user ID.

This authorization bypass allows any authenticated user enrolled in a course to overwrite another user's Learning Path progress—including score, status, completion, and time—by simply changing the uid parameter in the request.

Critical Impact
Any authenticated user can manipulate other users' learning progress data, compromising academic integrity and potentially enabling grade falsification or sabotage of student records.

Affected Products

Chamilo LMS versions prior to 1.11.38
Chamilo LMS 2.0.0-alpha1 through 2.0.0-alpha5
Chamilo LMS 2.0.0-beta1 through 2.0.0-beta3
Chamilo LMS 2.0.0-rc1 and 2.0.0-rc2

Discovery Timeline

April 10, 2026 - CVE-2026-33702 published to NVD
April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33702

Vulnerability Analysis

The vulnerability stems from a fundamental access control failure in Chamilo LMS's Learning Path module. The lp_ajax_save_item.php endpoint is responsible for persisting user progress in learning paths, including scores, completion status, and time spent. However, the implementation directly trusts the uid parameter from the HTTP request without validating that the authenticated session user has permission to modify the specified user's data.

This creates a horizontal privilege escalation scenario where any enrolled user can act on behalf of any other user within the same course context. The impact is particularly severe in educational environments where progress tracking is used for assessment, certification, or compliance purposes.

Root Cause

The root cause is improper authorization verification in the lp_ajax_save_item.php file. The vulnerable code reads the user ID directly from $_REQUEST['uid'] instead of using the authenticated session's user ID via the api_get_user_id() function. This violates the principle that user-controlled input should never be trusted for authorization decisions.

The code pattern $_REQUEST['uid'] allows an attacker to substitute any user ID value, bypassing the implicit assumption that users can only modify their own progress records.

Attack Vector

The attack can be executed remotely over the network by any authenticated user with course enrollment. The attacker needs to:

Authenticate to Chamilo LMS with valid credentials
Enroll in a course that contains Learning Paths
Intercept or craft a request to lp_ajax_save_item.php
Replace the uid parameter with a target user's ID
Submit modified progress data (score, status, completion time)

The following patch demonstrates the fix applied by Chamilo developers:

php

// Vulnerable code (before patch) - main/lp/lp_ajax_save_item.php
// The uid parameter was taken directly from user input

// Fixed code (after patch)
// Always use the authenticated user's ID to prevent IDOR — never trust
// the uid from the request, as any enrolled user could overwrite another
// user's Learning Path progress by changing this parameter.
echo save_item(
    (!empty($_REQUEST['lid']) ? $_REQUEST['lid'] : null),
    api_get_user_id(),
    (!empty($_REQUEST['vid']) ? $_REQUEST['vid'] : null),
    (!empty($_REQUEST['iid']) ? $_REQUEST['iid'] : null),
    (!empty($_REQUEST['s']) ? $_REQUEST['s'] : null),

Source: GitHub Commit 6331d05

The same pattern was applied to the 2.x branch:

php

$result = ScormApi::saveItem(
    $_REQUEST['lid'] ?? null,
    api_get_user_id(),
    $_REQUEST['vid'] ?? null,
    $_REQUEST['iid'] ?? null,
    $_REQUEST['s'] ?? null,

Source: GitHub Commit bf3f6c6

Detection Methods for CVE-2026-33702

Indicators of Compromise

Unusual patterns in Learning Path progress updates where user IDs in requests don't match authenticated session users
Rapid or bulk modifications to multiple users' progress records from a single session
Anomalous score changes or completion status updates that don't correlate with actual learning activity
Web server logs showing requests to lp_ajax_save_item.php with varying uid parameters from the same session

Detection Strategies

Implement web application firewall (WAF) rules to detect parameter tampering attempts on the uid parameter in requests to /main/lp/lp_ajax_save_item.php
Enable detailed logging of all Learning Path progress modifications including both the authenticated user and the target user ID
Deploy application-level intrusion detection to correlate session identities with request parameters
Monitor database audit logs for UPDATE operations on learning path progress tables that don't originate from expected application workflows

Monitoring Recommendations

Configure alerts for Learning Path progress modifications where the requesting user differs from the target user
Implement rate limiting on the lp_ajax_save_item.php endpoint to detect bulk exploitation attempts
Establish baseline metrics for normal progress update patterns and alert on statistical deviations
Review web server access logs regularly for suspicious patterns targeting Learning Path endpoints

How to Mitigate CVE-2026-33702

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or later for the 1.x branch
Upgrade Chamilo LMS to version 2.0.0-RC.3 or later for the 2.x branch
Audit existing Learning Path progress data for signs of tampering or unauthorized modifications
Review web server logs for historical exploitation attempts targeting the vulnerable endpoint

Patch Information

Chamilo has released security patches that replace the user-controlled uid parameter with the authenticated session's user ID via the api_get_user_id() function. This ensures that users can only modify their own Learning Path progress.

Security patches are available in the following commits:

1.x branch: Commit 6331d05
2.x branch: Commit bf3f6c6

For complete details, refer to the GitHub Security Advisory GHSA-3rv7-9fhx-j654.

Workarounds

If immediate patching is not possible, restrict access to the lp_ajax_save_item.php endpoint at the web server level while maintaining core functionality
Implement a reverse proxy rule that strips or validates the uid parameter against the authenticated session
Temporarily disable Learning Path functionality in environments where progress integrity is critical until patching can be completed
Monitor and alert on all access to the vulnerable endpoint as a compensating control

bash

# Example Apache configuration to log and monitor vulnerable endpoint
# Add to .htaccess or virtual host configuration
<LocationMatch "/main/lp/lp_ajax_save_item\.php">
    # Enable detailed logging for forensic analysis
    CustomLog /var/log/chamilo/lp_access.log combined
    # Consider implementing IP-based restrictions if appropriate
    # Require ip 192.168.1.0/24
</LocationMatch>

CVE-2026-33702 Overview

Critical Impact
Any authenticated user can manipulate other users' learning progress data, compromising academic integrity and potentially enabling grade falsification or sabotage of student records.

Affected Products

Chamilo LMS versions prior to 1.11.38
Chamilo LMS 2.0.0-alpha1 through 2.0.0-alpha5
Chamilo LMS 2.0.0-beta1 through 2.0.0-beta3
Chamilo LMS 2.0.0-rc1 and 2.0.0-rc2

Discovery Timeline

April 10, 2026 - CVE-2026-33702 published to NVD
April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33702

Vulnerability Analysis

Root Cause

The code pattern $_REQUEST['uid'] allows an attacker to substitute any user ID value, bypassing the implicit assumption that users can only modify their own progress records.

Attack Vector

The attack can be executed remotely over the network by any authenticated user with course enrollment. The attacker needs to:

Authenticate to Chamilo LMS with valid credentials
Enroll in a course that contains Learning Paths
Intercept or craft a request to lp_ajax_save_item.php
Replace the uid parameter with a target user's ID
Submit modified progress data (score, status, completion time)

The following patch demonstrates the fix applied by Chamilo developers:

php

// Vulnerable code (before patch) - main/lp/lp_ajax_save_item.php
// The uid parameter was taken directly from user input

// Fixed code (after patch)
// Always use the authenticated user's ID to prevent IDOR — never trust
// the uid from the request, as any enrolled user could overwrite another
// user's Learning Path progress by changing this parameter.
echo save_item(
    (!empty($_REQUEST['lid']) ? $_REQUEST['lid'] : null),
    api_get_user_id(),
    (!empty($_REQUEST['vid']) ? $_REQUEST['vid'] : null),
    (!empty($_REQUEST['iid']) ? $_REQUEST['iid'] : null),
    (!empty($_REQUEST['s']) ? $_REQUEST['s'] : null),

Source: GitHub Commit 6331d05

The same pattern was applied to the 2.x branch:

php

$result = ScormApi::saveItem(
    $_REQUEST['lid'] ?? null,
    api_get_user_id(),
    $_REQUEST['vid'] ?? null,
    $_REQUEST['iid'] ?? null,
    $_REQUEST['s'] ?? null,

Source: GitHub Commit bf3f6c6

Detection Methods for CVE-2026-33702

Indicators of Compromise

Unusual patterns in Learning Path progress updates where user IDs in requests don't match authenticated session users
Rapid or bulk modifications to multiple users' progress records from a single session
Anomalous score changes or completion status updates that don't correlate with actual learning activity
Web server logs showing requests to lp_ajax_save_item.php with varying uid parameters from the same session

Detection Strategies

Implement web application firewall (WAF) rules to detect parameter tampering attempts on the uid parameter in requests to /main/lp/lp_ajax_save_item.php
Enable detailed logging of all Learning Path progress modifications including both the authenticated user and the target user ID
Deploy application-level intrusion detection to correlate session identities with request parameters
Monitor database audit logs for UPDATE operations on learning path progress tables that don't originate from expected application workflows

Monitoring Recommendations

Configure alerts for Learning Path progress modifications where the requesting user differs from the target user
Implement rate limiting on the lp_ajax_save_item.php endpoint to detect bulk exploitation attempts
Establish baseline metrics for normal progress update patterns and alert on statistical deviations
Review web server access logs regularly for suspicious patterns targeting Learning Path endpoints

How to Mitigate CVE-2026-33702

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or later for the 1.x branch
Upgrade Chamilo LMS to version 2.0.0-RC.3 or later for the 2.x branch
Audit existing Learning Path progress data for signs of tampering or unauthorized modifications
Review web server logs for historical exploitation attempts targeting the vulnerable endpoint

Patch Information

Security patches are available in the following commits:

1.x branch: Commit 6331d05
2.x branch: Commit bf3f6c6

For complete details, refer to the GitHub Security Advisory GHSA-3rv7-9fhx-j654.

Workarounds

If immediate patching is not possible, restrict access to the lp_ajax_save_item.php endpoint at the web server level while maintaining core functionality
Implement a reverse proxy rule that strips or validates the uid parameter against the authenticated session
Temporarily disable Learning Path functionality in environments where progress integrity is critical until patching can be completed
Monitor and alert on all access to the vulnerable endpoint as a compensating control

bash

# Example Apache configuration to log and monitor vulnerable endpoint
# Add to .htaccess or virtual host configuration
<LocationMatch "/main/lp/lp_ajax_save_item\.php">
    # Enable detailed logging for forensic analysis
    CustomLog /var/log/chamilo/lp_access.log combined
    # Consider implementing IP-based restrictions if appropriate
    # Require ip 192.168.1.0/24
</LocationMatch>

CVE-2026-33702: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-33702 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33702

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33702

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33702

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33702: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-33702 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33702

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33702

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33702

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform