CVE-2026-33710: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-33710 Overview

CVE-2026-33710 is an Insecure Random Number Generation vulnerability in Chamilo LMS, a popular open-source learning management system. The vulnerability exists in the REST API key generation mechanism, where keys are created using a predictable formula: md5(time() + (user_id * 5) - rand(10000, 10000)). Due to a critical flaw in the rand() function call where both minimum and maximum parameters are set to 10000, the random component is effectively eliminated, making the formula deterministic: md5(timestamp + user_id*5 - 10000).

Critical Impact
An attacker who knows a username and can estimate the approximate API key creation time can brute-force valid REST API keys, potentially gaining unauthorized access to user accounts and sensitive educational data.

Affected Products

Chamilo LMS versions prior to 1.11.38
Chamilo LMS 2.0.0-alpha1 through 2.0.0-alpha5
Chamilo LMS 2.0.0-beta1 through 2.0.0-beta3
Chamilo LMS 2.0.0-rc1 and 2.0.0-rc2

Discovery Timeline

April 10, 2026 - CVE-2026-33710 published to NVD
April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33710

Vulnerability Analysis

This vulnerability stems from a fundamental cryptographic weakness in how Chamilo LMS generates REST API keys for user authentication. The core issue lies in the PHP code responsible for creating these keys, specifically in the usermanager.lib.php file.

The vulnerable code uses md5((time() + ($user_id * 5)) - rand(10000, 10000)) to generate API keys. The critical flaw is the rand(10000, 10000) call—when both the minimum and maximum parameters are identical, PHP's rand() function will always return that exact value (10000). This completely eliminates any randomness from the key generation process.

As a result, the API key becomes a simple MD5 hash of a predictable value: the Unix timestamp plus five times the user ID, minus the constant 10000. An attacker with knowledge of a target user's ID and an approximate timeframe of when their API key was created can compute all possible keys within that window and attempt authentication.

Root Cause

The root cause is the misuse of PHP's rand() function with identical minimum and maximum parameters (rand(10000, 10000)), which was likely intended to provide randomness but instead produces a constant value. This transforms what should be a cryptographically unpredictable API key into a deterministically calculable value based on publicly observable or guessable information.

The vulnerability falls under CWE-330 (Use of Insufficiently Random Values), as the generated API keys lack the entropy required for secure authentication tokens.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying a target user's ID (often sequential or enumerable in LMS systems)
Estimating the timeframe when the user's API key was created
Generating all possible MD5 hashes for timestamps within that window
Attempting API authentication with each calculated key until successful

The following code shows the vulnerable implementation and the security patch applied:

Vulnerable Code (removed):

php

$md5 = md5((time() + ($user_id * 5)) - rand(10000, 10000)); //generate some kind of random key

Patched Code (version 1.11.38):

php

$md5 = bin2hex(random_bytes(32));

Source: GitHub Commit Patch

Patched Code (version 2.0.0-RC.3):

php

$apiKey = bin2hex(random_bytes(16)); // cryptographically secure random API key
$num = Database::insert(
    Database::get_main_table(TABLE_MAIN_USER_API_KEY),
    [
        'user_id' => $user_id,
        'api_key' => $apiKey,
        'api_service' => $api_service,
    ]
);

Source: GitHub Commit Update

The fix replaces the weak MD5-based generation with PHP's random_bytes() function, which provides cryptographically secure pseudo-random bytes suitable for authentication tokens.

Detection Methods for CVE-2026-33710

Indicators of Compromise

Unusual volume of REST API authentication attempts against user accounts
Sequential or pattern-based API key values in authentication logs that follow the predictable MD5 format
Multiple failed API authentication attempts followed by a successful one from the same source
API access from unexpected IP addresses or geographic locations

Detection Strategies

Monitor REST API endpoints for brute-force authentication patterns
Implement rate limiting on API key validation endpoints
Review existing API keys in the user_api_key database table for keys that match the weak generation pattern
Deploy Web Application Firewall (WAF) rules to detect and block rapid API authentication attempts

Monitoring Recommendations

Enable detailed logging for all REST API authentication events
Set up alerts for unusual API access patterns or high failure rates
Monitor for automated scanning tools probing API endpoints
Regularly audit API key creation timestamps and usage patterns

How to Mitigate CVE-2026-33710

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 immediately
Invalidate and regenerate all existing REST API keys after applying the patch
Review API access logs for any signs of unauthorized access
Implement IP-based rate limiting on API authentication endpoints

Patch Information

Chamilo has released security patches addressing this vulnerability:

Version 1.11.38: Contains the fix using random_bytes(32) for API key generation
Version 2.0.0-RC.3: Contains the fix using random_bytes(16) for API key generation

For detailed patch information, refer to the GitHub Security Advisory GHSA-rpmg-j327-mr39.

Workarounds

Disable REST API functionality if not required until patches can be applied
Implement additional authentication layers (IP allowlisting, VPN requirements) for API access
Deploy a reverse proxy with strict rate limiting in front of the Chamilo application
Monitor and block suspicious API authentication patterns at the network level

bash

# Example: Regenerate API keys after patching (run via Chamilo CLI or database)
# First, backup existing keys for audit purposes
mysqldump -u chamilo_user -p chamilo_db user_api_key > api_keys_backup.sql

# After patching, consider truncating old keys to force regeneration
# WARNING: This will invalidate all existing API integrations
# mysql -u chamilo_user -p chamilo_db -e "TRUNCATE TABLE user_api_key;"

CVE-2026-33710 Overview

Critical Impact
An attacker who knows a username and can estimate the approximate API key creation time can brute-force valid REST API keys, potentially gaining unauthorized access to user accounts and sensitive educational data.

Affected Products

Chamilo LMS versions prior to 1.11.38
Chamilo LMS 2.0.0-alpha1 through 2.0.0-alpha5
Chamilo LMS 2.0.0-beta1 through 2.0.0-beta3
Chamilo LMS 2.0.0-rc1 and 2.0.0-rc2

Discovery Timeline

April 10, 2026 - CVE-2026-33710 published to NVD
April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33710

Vulnerability Analysis

Root Cause

The vulnerability falls under CWE-330 (Use of Insufficiently Random Values), as the generated API keys lack the entropy required for secure authentication tokens.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying a target user's ID (often sequential or enumerable in LMS systems)
Estimating the timeframe when the user's API key was created
Generating all possible MD5 hashes for timestamps within that window
Attempting API authentication with each calculated key until successful

The following code shows the vulnerable implementation and the security patch applied:

Vulnerable Code (removed):

php

$md5 = md5((time() + ($user_id * 5)) - rand(10000, 10000)); //generate some kind of random key

Patched Code (version 1.11.38):

php

$md5 = bin2hex(random_bytes(32));

Source: GitHub Commit Patch

Patched Code (version 2.0.0-RC.3):

php

$apiKey = bin2hex(random_bytes(16)); // cryptographically secure random API key
$num = Database::insert(
    Database::get_main_table(TABLE_MAIN_USER_API_KEY),
    [
        'user_id' => $user_id,
        'api_key' => $apiKey,
        'api_service' => $api_service,
    ]
);

Source: GitHub Commit Update

The fix replaces the weak MD5-based generation with PHP's random_bytes() function, which provides cryptographically secure pseudo-random bytes suitable for authentication tokens.

Detection Methods for CVE-2026-33710

Indicators of Compromise

Unusual volume of REST API authentication attempts against user accounts
Sequential or pattern-based API key values in authentication logs that follow the predictable MD5 format
Multiple failed API authentication attempts followed by a successful one from the same source
API access from unexpected IP addresses or geographic locations

Detection Strategies

Monitor REST API endpoints for brute-force authentication patterns
Implement rate limiting on API key validation endpoints
Review existing API keys in the user_api_key database table for keys that match the weak generation pattern
Deploy Web Application Firewall (WAF) rules to detect and block rapid API authentication attempts

Monitoring Recommendations

Enable detailed logging for all REST API authentication events
Set up alerts for unusual API access patterns or high failure rates
Monitor for automated scanning tools probing API endpoints
Regularly audit API key creation timestamps and usage patterns

How to Mitigate CVE-2026-33710

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 immediately
Invalidate and regenerate all existing REST API keys after applying the patch
Review API access logs for any signs of unauthorized access
Implement IP-based rate limiting on API authentication endpoints

Patch Information

Chamilo has released security patches addressing this vulnerability:

Version 1.11.38: Contains the fix using random_bytes(32) for API key generation
Version 2.0.0-RC.3: Contains the fix using random_bytes(16) for API key generation

For detailed patch information, refer to the GitHub Security Advisory GHSA-rpmg-j327-mr39.

Workarounds

Disable REST API functionality if not required until patches can be applied
Implement additional authentication layers (IP allowlisting, VPN requirements) for API access
Deploy a reverse proxy with strict rate limiting in front of the Chamilo application
Monitor and block suspicious API authentication patterns at the network level

bash

# Example: Regenerate API keys after patching (run via Chamilo CLI or database)
# First, backup existing keys for audit purposes
mysqldump -u chamilo_user -p chamilo_db user_api_key > api_keys_backup.sql

# After patching, consider truncating old keys to force regeneration
# WARNING: This will invalidate all existing API integrations
# mysql -u chamilo_user -p chamilo_db -e "TRUNCATE TABLE user_api_key;"

CVE-2026-33710: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-33710 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33710

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33710

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33710

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33710: Chamilo LMS Auth Bypass Vulnerability

CVE-2026-33710 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33710

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33710

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33710

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform