CVE-2026-33736 Overview
CVE-2026-33736 is an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS, an open-source learning management system. Prior to version 2.0.0-RC.3, any authenticated user—including those with minimal privileges such as ROLE_STUDENT—can enumerate all platform users and access sensitive personal information via the GET /api/users endpoint. This includes email addresses, phone numbers, roles, and critically, administrator account details.
Critical Impact
Low-privileged authenticated users can harvest personal information of all platform users including administrators, potentially enabling targeted phishing attacks, social engineering, or further privilege escalation attempts.
Affected Products
- Chamilo LMS 2.0.0-alpha1 through 2.0.0-alpha5
- Chamilo LMS 2.0.0-beta1 through 2.0.0-beta3
- Chamilo LMS 2.0.0-RC1 and 2.0.0-RC2
Discovery Timeline
- April 10, 2026 - CVE-2026-33736 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33736
Vulnerability Analysis
This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as Insecure Direct Object Reference (IDOR). The core issue lies in inadequate access control enforcement on the /api/users API endpoint. In affected versions, the application fails to verify whether the requesting user has appropriate privileges to access the user collection endpoint, allowing any authenticated user to retrieve the complete list of platform users regardless of their assigned role.
The vulnerability is exploitable over the network and requires only low-level authentication (any valid user account). Once authenticated, an attacker can directly query the API endpoint to extract personally identifiable information (PII) including email addresses, phone numbers, and user roles. The exposure of administrator accounts is particularly concerning as it provides attackers with high-value targets for subsequent attacks.
Root Cause
The root cause is a missing authorization check in the API endpoint handler. The /api/users endpoint was accessible to all authenticated users without validating whether the requesting user had administrative privileges. The application relied solely on authentication without implementing proper role-based access control (RBAC) for this sensitive endpoint.
Attack Vector
The attack is straightforward for any authenticated user:
- Authenticate to the Chamilo LMS platform with any valid credentials (even a student account)
- Send a GET request to /api/users endpoint
- Receive the complete user collection including emails, phone numbers, and role assignments
- Identify administrator accounts for targeted attacks
The following code shows the security patch that removes the vulnerable findByUsername function from the user service:
return await baseService.get("/admin/sessionadmin/users", searchParams)
}
-/**
- * @param {string} username
- * @returns {Promise<{totalItems, items}>}
- */
-async function findByUsername(username) {
- return await baseService.getCollection("/api/users", { username })
-}
-
/**
* @param {string} term
* @returns {Promise<{totalItems, items}>}
Source: GitHub Commit Update
The fix also introduces a new UserCollectionStateProvider to enforce proper authorization:
use Chamilo\CoreBundle\Entity\Listener\UserListener;
use Chamilo\CoreBundle\Filter\PartialSearchOrFilter;
use Chamilo\CoreBundle\Repository\Node\UserRepository;
+use Chamilo\CoreBundle\State\UserCollectionStateProvider;
use Chamilo\CoreBundle\Traits\UserCreatorTrait;
use Chamilo\CourseBundle\Entity\CGroupRelTutor;
use Chamilo\CourseBundle\Entity\CGroupRelUser;
Source: GitHub Commit Update
Detection Methods for CVE-2026-33736
Indicators of Compromise
- Unusual volume of requests to /api/users endpoint from non-administrative user accounts
- API access logs showing GET /api/users requests from student or low-privileged accounts
- Multiple sequential API calls to user-related endpoints indicating automated enumeration
- Network traffic patterns showing bulk data extraction from the users API endpoint
Detection Strategies
- Implement API request monitoring to flag /api/users access from non-admin roles
- Configure web application firewall (WAF) rules to alert on suspicious user enumeration patterns
- Review access logs for unauthorized API endpoint access by low-privileged users
- Deploy user behavior analytics to detect anomalous data access patterns
Monitoring Recommendations
- Enable detailed API access logging with user role attribution
- Set up alerts for bulk API responses returning large user collections
- Monitor for repeated authentication attempts following user enumeration activity
- Implement rate limiting on sensitive API endpoints to slow enumeration attempts
How to Mitigate CVE-2026-33736
Immediate Actions Required
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
- Audit access logs for evidence of prior exploitation targeting /api/users
- Review and rotate credentials for any administrator accounts that may have been exposed
- Notify users whose personal information may have been compromised
Patch Information
The vulnerability is fixed in Chamilo LMS version 2.0.0-RC.3. The security patch introduces a UserCollectionStateProvider that enforces proper authorization checks before returning user collection data. Organizations should upgrade to the patched version as soon as possible.
For detailed patch information, refer to:
Workarounds
- Implement network-level access controls to restrict API endpoint access to trusted IP ranges
- Configure reverse proxy or WAF rules to block unauthorized access to /api/users
- Temporarily disable API access for non-essential users until the patch can be applied
- Implement additional authentication layers for sensitive API endpoints
# Example nginx configuration to restrict API access
location /api/users {
# Allow only admin IP ranges
allow 10.0.0.0/8;
deny all;
# Or require additional authentication
auth_basic "Restricted API";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://chamilo_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
