CVE-2026-33708 Overview
CVE-2026-33708 is a Missing Authorization vulnerability affecting Chamilo LMS, a popular open-source learning management system used by educational institutions worldwide. Prior to version 1.11.38, the get_user_info_from_username REST API endpoint returns personal information including email addresses, first names, last names, user IDs, and active status of any user to any authenticated user, including students. The endpoint lacks proper authorization checks, allowing any authenticated user to enumerate and extract sensitive personal data from other users in the system.
Critical Impact
Any authenticated user, including students with minimal privileges, can extract personal information of all users in the Chamilo LMS instance, potentially exposing thousands of email addresses and personal details for phishing campaigns or social engineering attacks.
Affected Products
- Chamilo LMS versions prior to 1.11.38
- chamilo chamilo_lms (cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*)
Discovery Timeline
- April 10, 2026 - CVE-2026-33708 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33708
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization). The GET_USER_INFO_FROM_USERNAME REST API endpoint in Chamilo LMS fails to verify whether the requesting user has administrative privileges before returning sensitive user data. This represents a classic Broken Access Control flaw where API endpoints are exposed without proper authorization checks.
The vulnerability allows network-based exploitation with low attack complexity. An attacker only needs low-level privileges (any authenticated account, including a student account) to exploit this flaw. No user interaction is required, and the confidentiality impact is high as attackers can systematically extract personal information from all users in the system.
Root Cause
The root cause is the absence of an authorization check in the REST API handler for the GET_USER_INFO_FROM_USERNAME action. The endpoint processes requests from any authenticated user without validating whether the user has the necessary administrative role to access other users' personal information. This violates the principle of least privilege, as student accounts should not have access to other users' personal data.
Attack Vector
The attack vector is network-based through the REST API. An attacker with any valid authenticated session (even a low-privilege student account) can send requests to the GET_USER_INFO_FROM_USERNAME endpoint with arbitrary usernames. The API will respond with the target user's email, first name, last name, user ID, and account status without any authorization verification.
The security patch addresses this by adding an administrative privilege check before processing the request:
$restResponse->setData($data);
break;
case Rest::GET_USER_INFO_FROM_USERNAME:
+ if (!api_is_platform_admin()) {
+ throw new Exception(get_lang('NotAllowed'));
+ }
+
$loginname = trim($httpRequest->request->get('loginname'));
if (empty($loginname)) {
throw new Exception(get_lang('NoData'));
Source: GitHub Commit 4a119f93abbfba6fe833580f2463c8d4afa500c2
Detection Methods for CVE-2026-33708
Indicators of Compromise
- Unusual volume of requests to /main/webservices/api/v2.php targeting the GET_USER_INFO_FROM_USERNAME action
- Non-administrative user accounts making repeated API calls to user information endpoints
- Log entries showing student or low-privilege accounts querying user information for accounts they shouldn't have access to
- Patterns of sequential or enumerated username queries from a single session
Detection Strategies
- Monitor web server access logs for frequent requests to the REST API endpoint from non-administrative accounts
- Implement rate limiting and alerting on the GET_USER_INFO_FROM_USERNAME endpoint
- Review authentication logs for accounts making bulk user information requests
- Deploy web application firewall (WAF) rules to detect and alert on API enumeration patterns
Monitoring Recommendations
- Enable verbose logging for the Chamilo REST API to capture all user information requests
- Configure SIEM alerts for anomalous API activity patterns, especially from student accounts
- Implement user behavior analytics to detect accounts querying unusual numbers of other users
- Regularly audit API access logs for potential data exfiltration attempts
How to Mitigate CVE-2026-33708
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.38 or later immediately
- Review API access logs to identify any potential exploitation attempts prior to patching
- Audit user accounts for any unauthorized data access or suspicious activity
- Notify affected users if evidence of data exfiltration is discovered
Patch Information
The vulnerability is fixed in Chamilo LMS version 1.11.38. The fix adds an administrative privilege check using the api_is_platform_admin() function before processing user information requests. Organizations should apply this update immediately.
For detailed patch information, refer to:
Workarounds
- If immediate patching is not possible, restrict access to the REST API endpoint at the web server level
- Implement IP-based access controls to limit API access to trusted administrative networks
- Disable the REST API entirely if not required for operations until the patch can be applied
# Apache configuration to restrict API access (temporary workaround)
<Location "/main/webservices/api/v2.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
