CVE-2026-33705 Overview
CVE-2026-33705 is an information disclosure vulnerability in Chamilo LMS, a popular open-source learning management system. Prior to version 1.11.38, Twig template files (.tpl) located under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure, providing attackers with valuable reconnaissance information that could facilitate further attacks against the application.
Critical Impact
Unauthenticated attackers can access internal template files revealing application architecture, AJAX endpoints, and admin panel structure, enabling targeted attacks against Chamilo LMS installations.
Affected Products
- Chamilo LMS versions prior to 1.11.38
- All installations with default web server configurations allowing direct .tpl file access
- Self-hosted Chamilo LMS deployments without proper access restrictions
Discovery Timeline
- 2026-04-10 - CVE-2026-33705 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-33705
Vulnerability Analysis
This vulnerability stems from improper access control configuration that allows direct HTTP access to Twig template files. In Chamilo LMS, templates are designed to be loaded internally by PHP via the filesystem during server-side rendering operations—they should never be accessible through web requests.
When template files are exposed, attackers gain visibility into the application's internal structure, including:
- Internal variable names and data structures used in the application
- AJAX endpoint URLs and their expected parameters
- Admin panel layout and functionality mapping
- Authentication and authorization flow patterns
This information leakage (CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory) provides attackers with a detailed blueprint of the application, significantly reducing the effort required to identify and exploit other vulnerabilities.
Root Cause
The root cause is the absence of web server access restrictions on .tpl template files within the /main/template/ directory. By default, the web server serves any requested file from the document root unless explicitly blocked. Since Twig templates are legitimate files in the web-accessible directory structure but are only meant for internal PHP consumption, they require explicit denial rules to prevent external access.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can simply enumerate and request template files directly via HTTP GET requests to URLs such as:
GET /main/template/default/layout/head.tpl HTTP/1.1
GET /main/template/default/admin/index.tpl HTTP/1.1
GET /main/template/default/auth/login.tpl HTTP/1.1
The server responds with the raw template content, revealing embedded logic, conditionals, variable references, and endpoint configurations that should remain hidden from external users.
Detection Methods for CVE-2026-33705
Indicators of Compromise
- Web server access logs showing HTTP GET requests to .tpl files under /main/template/ paths
- Unusual traffic patterns involving sequential requests to multiple template files (enumeration behavior)
- Access attempts from external IP addresses targeting template directories
- Requests returning 200 OK responses for .tpl file extensions
Detection Strategies
- Configure web server logging to flag requests for .tpl file extensions as potential reconnaissance
- Implement web application firewall (WAF) rules to alert on or block direct template file access
- Deploy file integrity monitoring on template directories to detect unauthorized access patterns
- Enable detailed access logging for the /main/template/ directory structure
Monitoring Recommendations
- Monitor HTTP response codes for requests targeting .tpl files (200 responses indicate exposure)
- Track unique IP addresses requesting template file paths for anomaly detection
- Correlate template file access with subsequent attack patterns against disclosed endpoints
- Review web server configurations periodically to ensure access restrictions remain in place
How to Mitigate CVE-2026-33705
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.38 or later immediately
- Apply the .htaccess access restriction for .tpl files if immediate upgrade is not possible
- Audit web server configurations to verify template files are not accessible via HTTP
- Review access logs for evidence of prior template file exposure or reconnaissance
Patch Information
Chamilo has released version 1.11.38 which addresses this vulnerability by implementing proper access controls on template files. The fix introduces an .htaccess file in the template directory that explicitly denies HTTP access to .tpl files.
The security patch adds the following Apache configuration:
# Deny direct access to template files.
# Templates are loaded by PHP internally via the filesystem, not via HTTP,
# so they never need to be web-accessible.
<FilesMatch "\.tpl$">
Require all denied
</FilesMatch>
Source: GitHub Commit Change
For additional details, refer to the GitHub Security Advisory GHSA-5wjg-8x28-px57.
Workarounds
- Manually create an .htaccess file in /main/template/ with FilesMatch rules denying access to .tpl files
- For nginx deployments, add a location block denying access to files matching \.tpl$ pattern
- Implement network-level access controls to restrict template directory access
- Use a reverse proxy or WAF to filter requests targeting template file extensions
# For nginx servers, add to your server configuration:
location ~* \.tpl$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
