CVE-2026-33714 Overview
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, representing an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database.
Critical Impact
Authenticated administrators can exploit this time-based blind SQL injection vulnerability to extract arbitrary data from the database, potentially compromising sensitive user credentials, course materials, and personal information stored within the Chamilo LMS platform.
Affected Products
- Chamilo LMS version 2.0.0-RC.2
- Chamilo LMS versions prior to 2.0.0
Discovery Timeline
- 2026-04-14 - CVE-2026-33714 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-33714
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in the Chamilo LMS statistics module and represents an incomplete remediation of a previously identified security issue (CVE-2026-30881). The vulnerability allows authenticated administrators to inject malicious SQL code through unsanitized date parameters.
The root cause lies in inconsistent input validation across different actions within the same PHP file. While the get_user_registration_by_month action was properly secured with the Security::remove_XSS() function, the parallel users_active action was overlooked, leaving the date_start and date_end parameters vulnerable to direct SQL interpolation.
This is a network-accessible vulnerability that requires low privileges (authenticated admin access) but no user interaction, making it exploitable by any compromised or malicious administrator account.
Root Cause
The vulnerability stems from incomplete input sanitization in the public/main/inc/ajax/statistics.ajax.php file. When the previous vulnerability (CVE-2026-30881) was patched, developers applied the Security::remove_XSS() sanitization function to the date_start and date_end parameters only within the get_user_registration_by_month action. However, the users_active action within the same file processes the identical parameters without any sanitization, allowing malicious SQL code to be directly concatenated into database queries.
Attack Vector
The attack exploits the network-accessible statistics AJAX endpoint through authenticated requests. An attacker with administrator credentials can craft malicious values for the date_start and date_end parameters when invoking the users_active action. Since these parameters are directly interpolated into SQL queries without proper sanitization or parameterized queries, the attacker can inject arbitrary SQL statements.
The time-based blind SQL injection technique allows data extraction even without direct query output by measuring server response times. By injecting conditional statements with time delays (such as SLEEP() functions), attackers can infer boolean conditions about database contents one bit at a time, eventually reconstructing sensitive data including user credentials, personal information, and system configurations.
Detection Methods for CVE-2026-33714
Indicators of Compromise
- Unusual or repeated requests to /main/inc/ajax/statistics.ajax.php with the users_active action
- HTTP requests containing SQL syntax patterns in date_start or date_end parameters (e.g., SLEEP(), BENCHMARK(), WAITFOR DELAY)
- Anomalous response times from the statistics AJAX endpoint indicating time-based injection attempts
- Database logs showing unusual query patterns or syntax errors from the statistics module
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in request parameters targeting the statistics endpoint
- Enable detailed access logging for the Chamilo application and monitor for requests to statistics.ajax.php with suspicious parameter values
- Deploy database activity monitoring to detect anomalous queries originating from the Chamilo application, particularly those with timing functions
- Utilize SentinelOne Singularity platform to detect and alert on exploitation attempts through behavioral analysis
Monitoring Recommendations
- Configure alerting for multiple failed or slow requests to the statistics AJAX endpoint from the same authenticated session
- Monitor administrator account activity for unusual patterns, especially bulk requests to analytics endpoints
- Implement database query logging to capture and analyze queries executed through the affected endpoint
- Review web server access logs regularly for patterns consistent with automated SQL injection tools
How to Mitigate CVE-2026-33714
Immediate Actions Required
- Upgrade Chamilo LMS to version 2.0.0 or later immediately
- If immediate upgrade is not possible, restrict administrative access to trusted users only
- Implement additional network-level controls to limit access to the statistics AJAX endpoint
- Enable enhanced logging and monitoring on the affected endpoint until patching is complete
Patch Information
This vulnerability has been fixed in Chamilo LMS version 2.0.0. Organizations should upgrade to this version as soon as possible to remediate the vulnerability completely. For detailed information about the fix, refer to the GitHub Release v2.0.0 and the GitHub Security Advisory GHSA-w8c4-c7r8-qgw2.
Workarounds
- Implement a web application firewall (WAF) rule to block requests containing SQL injection patterns in the date_start and date_end parameters
- Restrict access to the statistics.ajax.php endpoint at the web server level using IP whitelisting or additional authentication layers
- Manually apply input sanitization to the users_active action by adding Security::remove_XSS() calls to the date_start and date_end parameters in the affected file
- Disable the statistics module entirely if it is not critical for operations until the official patch can be applied
# Example Apache configuration to restrict access to the vulnerable endpoint
<Location "/main/inc/ajax/statistics.ajax.php">
# Restrict access to trusted IP addresses only
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
# Block requests with common SQL injection patterns
RewriteEngine On
RewriteCond %{QUERY_STRING} (SLEEP|BENCHMARK|WAITFOR|DELAY) [NC]
RewriteRule .* - [F,L]
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
