Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33705

CVE-2026-33705: Chamilo LMS Information Disclosure Flaw

CVE-2026-33705 is an information disclosure vulnerability in Chamilo LMS that exposes internal application logic and sensitive endpoints without authentication. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-33705 Overview

CVE-2026-33705 is an information disclosure vulnerability in Chamilo LMS, a popular open-source learning management system. Prior to version 1.11.38, Twig template files (.tpl) located under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure, providing attackers with valuable reconnaissance information that could facilitate further attacks against the application.

Critical Impact

Unauthenticated attackers can access internal template files revealing application architecture, AJAX endpoints, and admin panel structure, enabling targeted attacks against Chamilo LMS installations.

Affected Products

  • Chamilo LMS versions prior to 1.11.38
  • All installations with default web server configurations allowing direct .tpl file access
  • Self-hosted Chamilo LMS deployments without proper access restrictions

Discovery Timeline

  • 2026-04-10 - CVE-2026-33705 published to NVD
  • 2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-33705

Vulnerability Analysis

This vulnerability stems from improper access control configuration that allows direct HTTP access to Twig template files. In Chamilo LMS, templates are designed to be loaded internally by PHP via the filesystem during server-side rendering operations—they should never be accessible through web requests.

When template files are exposed, attackers gain visibility into the application's internal structure, including:

  • Internal variable names and data structures used in the application
  • AJAX endpoint URLs and their expected parameters
  • Admin panel layout and functionality mapping
  • Authentication and authorization flow patterns

This information leakage (CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory) provides attackers with a detailed blueprint of the application, significantly reducing the effort required to identify and exploit other vulnerabilities.

Root Cause

The root cause is the absence of web server access restrictions on .tpl template files within the /main/template/ directory. By default, the web server serves any requested file from the document root unless explicitly blocked. Since Twig templates are legitimate files in the web-accessible directory structure but are only meant for internal PHP consumption, they require explicit denial rules to prevent external access.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can simply enumerate and request template files directly via HTTP GET requests to URLs such as:

GET /main/template/default/layout/head.tpl HTTP/1.1
GET /main/template/default/admin/index.tpl HTTP/1.1
GET /main/template/default/auth/login.tpl HTTP/1.1

The server responds with the raw template content, revealing embedded logic, conditionals, variable references, and endpoint configurations that should remain hidden from external users.

Detection Methods for CVE-2026-33705

Indicators of Compromise

  • Web server access logs showing HTTP GET requests to .tpl files under /main/template/ paths
  • Unusual traffic patterns involving sequential requests to multiple template files (enumeration behavior)
  • Access attempts from external IP addresses targeting template directories
  • Requests returning 200 OK responses for .tpl file extensions

Detection Strategies

  • Configure web server logging to flag requests for .tpl file extensions as potential reconnaissance
  • Implement web application firewall (WAF) rules to alert on or block direct template file access
  • Deploy file integrity monitoring on template directories to detect unauthorized access patterns
  • Enable detailed access logging for the /main/template/ directory structure

Monitoring Recommendations

  • Monitor HTTP response codes for requests targeting .tpl files (200 responses indicate exposure)
  • Track unique IP addresses requesting template file paths for anomaly detection
  • Correlate template file access with subsequent attack patterns against disclosed endpoints
  • Review web server configurations periodically to ensure access restrictions remain in place

How to Mitigate CVE-2026-33705

Immediate Actions Required

  • Upgrade Chamilo LMS to version 1.11.38 or later immediately
  • Apply the .htaccess access restriction for .tpl files if immediate upgrade is not possible
  • Audit web server configurations to verify template files are not accessible via HTTP
  • Review access logs for evidence of prior template file exposure or reconnaissance

Patch Information

Chamilo has released version 1.11.38 which addresses this vulnerability by implementing proper access controls on template files. The fix introduces an .htaccess file in the template directory that explicitly denies HTTP access to .tpl files.

The security patch adds the following Apache configuration:

text
# Deny direct access to template files.
# Templates are loaded by PHP internally via the filesystem, not via HTTP,
# so they never need to be web-accessible.
<FilesMatch "\.tpl$">
    Require all denied
</FilesMatch>

Source: GitHub Commit Change

For additional details, refer to the GitHub Security Advisory GHSA-5wjg-8x28-px57.

Workarounds

  • Manually create an .htaccess file in /main/template/ with FilesMatch rules denying access to .tpl files
  • For nginx deployments, add a location block denying access to files matching \.tpl$ pattern
  • Implement network-level access controls to restrict template directory access
  • Use a reverse proxy or WAF to filter requests targeting template file extensions
bash
# For nginx servers, add to your server configuration:
location ~* \.tpl$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.