CVE-2026-33706: Chamilo LMS Privilege Escalation Flaw

CVE-2026-33706 Overview

CVE-2026-33706 is a privilege escalation vulnerability in Chamilo LMS, a widely-used open-source learning management system. Prior to version 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. This allows a student (status=5) to change their status to Teacher/CourseManager (status=1), gaining unauthorized course creation and management privileges.

Critical Impact
Authenticated users can escalate privileges from student to teacher/administrator roles, enabling unauthorized course management and potentially compromising the integrity of the entire learning platform.

Affected Products

Chamilo LMS versions prior to 1.11.38
All installations with REST API enabled and user API keys issued
Deployments allowing student self-registration with API access

Discovery Timeline

2026-04-10 - CVE-2026-33706 published to NVD
2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-33706

Vulnerability Analysis

The vulnerability resides in the REST API endpoint responsible for user profile updates. The update_user_from_username function in Chamilo LMS failed to properly restrict which user fields could be modified by non-administrative users. While the endpoint correctly verified that users could only modify their own profiles (unless they were platform administrators), it did not restrict the specific fields that could be updated.

This oversight allowed any authenticated user to modify privileged fields including status, roles, auth_source, enabled, active, creator_id, registration_date, expiration_date, hr_dept_id, and official_code through REST API calls. The most impactful exploitation involves modifying the status field to elevate from student (status=5) to Teacher/CourseManager (status=1).

Root Cause

The root cause is improper access control (CWE-269) in the REST API user update functionality. The original code only validated whether the requesting user was either a platform administrator or the owner of the account being modified, but failed to implement field-level access restrictions. This allowed unprivileged users to modify sensitive account attributes that should only be changeable by administrators.

Attack Vector

An attacker with a valid student account and REST API key can craft a malicious API request to the update_user_from_username endpoint, including the status parameter set to 1 (Teacher/CourseManager). The attack is network-based, requires low privileges (any authenticated user), and does not require user interaction. Upon successful exploitation, the attacker gains elevated privileges within the learning management system.

php

             throw new Exception(get_lang('NoData'));
         }
 
-        if (!api_is_platform_admin() && $userId != $this->user->getId()) {
+        $isAdmin = api_is_platform_admin();
+
+        if (!$isAdmin && $userId != $this->user->getId()) {
             self::throwNotAllowedException();
         }
 
+        // Fields that only platform admins may change
+        $adminOnlyFields = [
+            'status',
+            'roles',
+            'auth_source',
+            'enabled',
+            'active',
+            'creator_id',
+            'registration_date',
+            'expiration_date',
+            'hr_dept_id',
+            'official_code',
+        ];
+
         if (!empty($parameters['new_login_name'])) {
             // Make sure the new username, if set, is available
             if (!UserManager::is_username_available($parameters['new_login_name'])) {

Source: GitHub Commit Update

Detection Methods for CVE-2026-33706

Indicators of Compromise

REST API calls to update_user_from_username endpoint containing status, roles, or other admin-only fields from non-admin users
Sudden changes in user status from student (5) to teacher/admin (1) without corresponding administrative action in audit logs
Unusual course creation activity by users who were recently students
Database modifications to user records where the status field changed without matching admin session activity

Detection Strategies

Implement API request logging and alerting for calls containing sensitive fields like status, roles, or auth_source
Monitor user privilege changes in the database and correlate with legitimate administrative actions
Deploy web application firewall (WAF) rules to detect and block API requests attempting to modify restricted fields
Review Chamilo access logs for anomalous patterns in REST API usage

Monitoring Recommendations

Enable detailed logging for all REST API endpoints, particularly user modification functions
Configure SIEM alerts for user status field changes that occur outside of administrative workflows
Implement database audit triggers on the user table to track privilege-related column modifications
Regularly audit user accounts for unexpected privilege elevations

How to Mitigate CVE-2026-33706

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or later immediately
Audit all user accounts for unauthorized privilege escalations that may have occurred prior to patching
Review REST API access keys and revoke any suspicious or unnecessary API credentials
Temporarily disable REST API access if upgrade cannot be performed immediately

Patch Information

The vulnerability is fixed in Chamilo LMS version 1.11.38. The security patch introduces field-level access control in the REST API user update functionality. The fix adds an $adminOnlyFields array containing sensitive fields (status, roles, auth_source, enabled, active, creator_id, registration_date, expiration_date, hr_dept_id, official_code) that can only be modified by platform administrators. For detailed information, refer to the GitHub Security Advisory GHSA-3gqc-xr75-pcpw.

Workarounds

Disable REST API functionality entirely until the patch can be applied
Implement reverse proxy or WAF rules to block API requests containing sensitive parameters
Revoke all non-essential REST API keys, limiting access to trusted administrative users only
Add database-level triggers to prevent unauthorized status field modifications

bash

# Configuration example
# Temporary workaround: Disable REST API in Apache configuration
# Add to your Chamilo virtual host configuration
<Location "/main/webservices/api/">
    Require all denied
</Location>

# Or use .htaccess in the webservices directory
# Deny from all

CVE-2026-33706 Overview

Critical Impact
Authenticated users can escalate privileges from student to teacher/administrator roles, enabling unauthorized course management and potentially compromising the integrity of the entire learning platform.

Affected Products

Chamilo LMS versions prior to 1.11.38
All installations with REST API enabled and user API keys issued
Deployments allowing student self-registration with API access

Discovery Timeline

2026-04-10 - CVE-2026-33706 published to NVD
2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-33706

Vulnerability Analysis

Root Cause

Attack Vector

php

             throw new Exception(get_lang('NoData'));
         }
 
-        if (!api_is_platform_admin() && $userId != $this->user->getId()) {
+        $isAdmin = api_is_platform_admin();
+
+        if (!$isAdmin && $userId != $this->user->getId()) {
             self::throwNotAllowedException();
         }
 
+        // Fields that only platform admins may change
+        $adminOnlyFields = [
+            'status',
+            'roles',
+            'auth_source',
+            'enabled',
+            'active',
+            'creator_id',
+            'registration_date',
+            'expiration_date',
+            'hr_dept_id',
+            'official_code',
+        ];
+
         if (!empty($parameters['new_login_name'])) {
             // Make sure the new username, if set, is available
             if (!UserManager::is_username_available($parameters['new_login_name'])) {

Source: GitHub Commit Update

Detection Methods for CVE-2026-33706

Indicators of Compromise

REST API calls to update_user_from_username endpoint containing status, roles, or other admin-only fields from non-admin users
Sudden changes in user status from student (5) to teacher/admin (1) without corresponding administrative action in audit logs
Unusual course creation activity by users who were recently students
Database modifications to user records where the status field changed without matching admin session activity

Detection Strategies

Implement API request logging and alerting for calls containing sensitive fields like status, roles, or auth_source
Monitor user privilege changes in the database and correlate with legitimate administrative actions
Deploy web application firewall (WAF) rules to detect and block API requests attempting to modify restricted fields
Review Chamilo access logs for anomalous patterns in REST API usage

Monitoring Recommendations

Enable detailed logging for all REST API endpoints, particularly user modification functions
Configure SIEM alerts for user status field changes that occur outside of administrative workflows
Implement database audit triggers on the user table to track privilege-related column modifications
Regularly audit user accounts for unexpected privilege elevations

How to Mitigate CVE-2026-33706

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or later immediately
Audit all user accounts for unauthorized privilege escalations that may have occurred prior to patching
Review REST API access keys and revoke any suspicious or unnecessary API credentials
Temporarily disable REST API access if upgrade cannot be performed immediately

Patch Information

Workarounds

Disable REST API functionality entirely until the patch can be applied
Implement reverse proxy or WAF rules to block API requests containing sensitive parameters
Revoke all non-essential REST API keys, limiting access to trusted administrative users only
Add database-level triggers to prevent unauthorized status field modifications

bash

# Configuration example
# Temporary workaround: Disable REST API in Apache configuration
# Add to your Chamilo virtual host configuration
<Location "/main/webservices/api/">
    Require all denied
</Location>

# Or use .htaccess in the webservices directory
# Deny from all

CVE-2026-33706: Chamilo LMS Privilege Escalation Flaw

CVE-2026-33706 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33706

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33706

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33706

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33706: Chamilo LMS Privilege Escalation Flaw

CVE-2026-33706 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33706

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33706

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33706

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform