CVE-2026-34160: Chamilo LMS SSRF Vulnerability

CVE-2026-34160 Overview

CVE-2026-34160 is a Server-Side Request Forgery (SSRF) vulnerability in Chamilo LMS, an open-source learning management system. The vulnerability exists in the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php, which is accessible without authentication and accepts a user-controlled package-url parameter. The server fetches this URL using curl without filtering private or internal IP addresses, enabling unauthenticated SSRF attacks.

Critical Impact
This vulnerability allows unauthenticated attackers to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters.

Affected Products

Chamilo LMS versions prior to 2.0.0-RC.3
Chamilo LMS PENS plugin (public/plugin/Pens/pens.php)
Chamilo LMS deployments with the PENS plugin enabled

Discovery Timeline

April 14, 2026 - CVE-2026-34160 published to NVD
April 14, 2026 - Last updated in NVD database

Technical Details for CVE-2026-34160

Vulnerability Analysis

This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The PENS plugin endpoint in Chamilo LMS exposes critical functionality without requiring authentication, and fails to validate that user-supplied URLs do not point to internal or private network addresses. This combination creates a significant attack surface where external attackers can leverage the server as a proxy to access internal resources.

The attack surface is particularly dangerous because:

No authentication is required to access the vulnerable endpoint
The server-side curl implementation follows redirects without restriction
Both the package-url parameter and callback parameters (receipt, alerts) are vulnerable
Cloud environments are especially at risk due to metadata endpoint exposure

Root Cause

The root cause is the absence of URL validation in the PensProcessor.php class. The original implementation used isAllowedDownloadUrl() which did not perform adequate checks against private or internal IP addresses. The vulnerable code allowed arbitrary URLs to be fetched by the server without validating whether the target address was internal, private, or otherwise restricted.

Attack Vector

An attacker can exploit this vulnerability by sending a crafted request to the PENS plugin endpoint with a malicious package-url parameter pointing to internal resources. The network-based attack vector requires no authentication or user interaction, making it highly exploitable from the internet.

Example attack scenarios include:

Accessing AWS/GCP/Azure metadata endpoints at http://169.254.169.254/latest/meta-data/ to steal IAM credentials
Scanning internal network services to map infrastructure
Triggering state-changing operations on internal APIs via callback parameters
Exfiltrating sensitive data from internal services

php

             throw new PENSException(1322);
         }
 
-        if (!$this->isAllowedDownloadUrl($request->getPackageUrl())) {
+        if (!$this->isAllowedPackageUrl($request->getPackageUrl())) {
             error_log('[Pens][collectPackage] download url rejected');
             throw new PENSException(1301);
         }

Source: GitHub Commit Update

The patch replaces isAllowedDownloadUrl() with a stricter isAllowedPackageUrl() function that enforces proper validation against private and internal IP addresses.

Detection Methods for CVE-2026-34160

Indicators of Compromise

Unexpected HTTP requests originating from the Chamilo server to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
Requests to cloud metadata endpoints (169.254.169.254) from the web server
Anomalous traffic patterns from the Chamilo application to non-standard ports on internal hosts
Access logs showing requests to /plugin/Pens/pens.php with suspicious package-url parameters

Detection Strategies

Monitor web server access logs for requests to the PENS endpoint (/plugin/Pens/pens.php) with unusual URL parameters
Implement network-level detection for outbound connections from web servers to private IP ranges
Deploy web application firewall (WAF) rules to detect and block SSRF patterns in URL parameters
Configure alerts for any access to cloud metadata endpoints from application servers

Monitoring Recommendations

Enable detailed logging for the Chamilo PENS plugin to capture all incoming requests
Implement egress filtering rules to prevent the web server from connecting to internal networks
Monitor for DNS lookups to internal hostnames or metadata service addresses
Review network traffic patterns for unusual connections initiated by the Chamilo application

How to Mitigate CVE-2026-34160

Immediate Actions Required

Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
If immediate upgrade is not possible, disable or remove the PENS plugin by removing or restricting access to public/plugin/Pens/
Implement network-level egress filtering to prevent the server from connecting to internal IP ranges
Review server logs for evidence of exploitation attempts

Patch Information

The vulnerability has been fixed in Chamilo LMS version 2.0.0-RC.3. The patch introduces stricter URL validation logic in the PensProcessor.php class, replacing the isAllowedDownloadUrl() method with isAllowedPackageUrl() to ensure proper filtering of private and internal IP addresses.

Patch resources:

Workarounds

Disable the PENS plugin if not required for your deployment
Implement web server or reverse proxy rules to block access to /plugin/Pens/pens.php
Configure firewall rules to prevent outbound connections from the web server to internal networks and cloud metadata endpoints
Deploy a WAF rule to block requests containing internal IP addresses or metadata endpoint URLs in parameters

bash

# Configuration example
# Block access to PENS plugin using nginx
location /plugin/Pens/ {
    deny all;
    return 403;
}

# Alternative: Block metadata endpoint access at firewall level
iptables -A OUTPUT -d 169.254.169.254 -j DROP

CVE-2026-34160 Overview

Critical Impact
This vulnerability allows unauthenticated attackers to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters.

Affected Products

Chamilo LMS versions prior to 2.0.0-RC.3
Chamilo LMS PENS plugin (public/plugin/Pens/pens.php)
Chamilo LMS deployments with the PENS plugin enabled

Discovery Timeline

April 14, 2026 - CVE-2026-34160 published to NVD
April 14, 2026 - Last updated in NVD database

Technical Details for CVE-2026-34160

Vulnerability Analysis

The attack surface is particularly dangerous because:

No authentication is required to access the vulnerable endpoint
The server-side curl implementation follows redirects without restriction
Both the package-url parameter and callback parameters (receipt, alerts) are vulnerable
Cloud environments are especially at risk due to metadata endpoint exposure

Root Cause

Attack Vector

Example attack scenarios include:

Accessing AWS/GCP/Azure metadata endpoints at http://169.254.169.254/latest/meta-data/ to steal IAM credentials
Scanning internal network services to map infrastructure
Triggering state-changing operations on internal APIs via callback parameters
Exfiltrating sensitive data from internal services

php

             throw new PENSException(1322);
         }
 
-        if (!$this->isAllowedDownloadUrl($request->getPackageUrl())) {
+        if (!$this->isAllowedPackageUrl($request->getPackageUrl())) {
             error_log('[Pens][collectPackage] download url rejected');
             throw new PENSException(1301);
         }

Source: GitHub Commit Update

The patch replaces isAllowedDownloadUrl() with a stricter isAllowedPackageUrl() function that enforces proper validation against private and internal IP addresses.

Detection Methods for CVE-2026-34160

Indicators of Compromise

Unexpected HTTP requests originating from the Chamilo server to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
Requests to cloud metadata endpoints (169.254.169.254) from the web server
Anomalous traffic patterns from the Chamilo application to non-standard ports on internal hosts
Access logs showing requests to /plugin/Pens/pens.php with suspicious package-url parameters

Detection Strategies

Monitor web server access logs for requests to the PENS endpoint (/plugin/Pens/pens.php) with unusual URL parameters
Implement network-level detection for outbound connections from web servers to private IP ranges
Deploy web application firewall (WAF) rules to detect and block SSRF patterns in URL parameters
Configure alerts for any access to cloud metadata endpoints from application servers

Monitoring Recommendations

Enable detailed logging for the Chamilo PENS plugin to capture all incoming requests
Implement egress filtering rules to prevent the web server from connecting to internal networks
Monitor for DNS lookups to internal hostnames or metadata service addresses
Review network traffic patterns for unusual connections initiated by the Chamilo application

How to Mitigate CVE-2026-34160

Immediate Actions Required

Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
If immediate upgrade is not possible, disable or remove the PENS plugin by removing or restricting access to public/plugin/Pens/
Implement network-level egress filtering to prevent the server from connecting to internal IP ranges
Review server logs for evidence of exploitation attempts

Patch Information

Patch resources:

Workarounds

Disable the PENS plugin if not required for your deployment
Implement web server or reverse proxy rules to block access to /plugin/Pens/pens.php
Configure firewall rules to prevent outbound connections from the web server to internal networks and cloud metadata endpoints
Deploy a WAF rule to block requests containing internal IP addresses or metadata endpoint URLs in parameters

bash

# Configuration example
# Block access to PENS plugin using nginx
location /plugin/Pens/ {
    deny all;
    return 403;
}

# Alternative: Block metadata endpoint access at firewall level
iptables -A OUTPUT -d 169.254.169.254 -j DROP

CVE-2026-34160: Chamilo LMS SSRF Vulnerability

CVE-2026-34160 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-34160

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-34160

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-34160

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-34160: Chamilo LMS SSRF Vulnerability

CVE-2026-34160 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-34160

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-34160

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-34160

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform