CVE-2026-35196 Overview
CVE-2026-35196 is a critical OS Command Injection vulnerability discovered in Chamilo LMS, an open-source learning management system widely used by educational institutions and organizations for e-learning purposes. The vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where user-controlled session data is directly concatenated into shell commands without proper sanitization.
This command injection flaw allows attackers who can manipulate their session data to inject shell metacharacters into the _cid variable, enabling arbitrary command execution on the underlying server. The impact is severe, potentially granting attackers full access to read system files, credentials, and database contents, as well as the ability to modify application data or disrupt server availability entirely.
Critical Impact
Successful exploitation of this vulnerability enables arbitrary command execution on the server, potentially leading to complete system compromise, data exfiltration, and service disruption.
Affected Products
- Chamilo LMS versions prior to 2.0.0-RC.3
Discovery Timeline
- 2026-04-14 - CVE-2026-35196 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-35196
Vulnerability Analysis
This command injection vulnerability stems from improper handling of session-derived data within the gradebook AJAX functionality. The export_all_certificates action retrieves the course code from the session variable $_SESSION['_cid'] via the api_get_course_id() function and directly concatenates this value into a shell_exec() command string.
The core issue is the absence of input sanitization using PHP's escapeshellarg() function before the session-derived value is passed to shell execution functions. If an attacker can poison or manipulate their session data to inject shell metacharacters (such as ;, |, &&, or backticks) into the _cid variable, the injected commands will be executed with the privileges of the web server process.
The attack surface extends beyond just the gradebook endpoint. The security patch reveals that multiple locations in the codebase were vulnerable to similar command injection issues, including document processing functions that handle PDF, PostScript, Word documents, HTML, and RTF files through external command-line utilities like pdftotext, ps2pdf, catdoc, html2text, and unrtf.
Root Cause
The root cause is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The application fails to sanitize or escape user-influenced data before incorporating it into operating system commands executed via shell_exec() and exec() functions. The vulnerable code path trusts that session data is safe, but session variables can potentially be manipulated through various attack vectors including session fixation, session poisoning, or other application-level vulnerabilities.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access to the Chamilo LMS platform. An attacker needs to:
- Obtain authenticated access to the Chamilo LMS system (even with minimal student-level privileges)
- Manipulate or poison their session data to inject malicious shell metacharacters into the _cid (course ID) session variable
- Trigger the vulnerable export_all_certificates action in the gradebook AJAX endpoint
- The injected commands execute with the privileges of the web server user
The following patch demonstrates how the vulnerability was addressed by adding proper input sanitization:
break;*/
case 'export_all_certificates':
if (!api_is_allowed_to_edit(null, true) && !api_is_student_boss()) {
- echo '';
- break;
+ exit;
}
+
$categoryId = (int) $_GET['cat_id'];
$filterOfficialCodeGet = isset($_GET['filter']) ? Security::remove_XSS($_GET['filter']) : null;
Source: GitHub Commit Update
Additional fixes were applied to document processing functions across the codebase:
fclose($handle);
break;
case 'application/pdf':
- exec("pdftotext $doc_path -", $output, $ret_val);
+ exec("pdftotext ".escapeshellarg($doc_path)." -", $output, $ret_val);
break;
case 'application/postscript':
$temp_file = tempnam(sys_get_temp_dir(), 'chamilo');
- exec("ps2pdf $doc_path $temp_file", $output, $ret_val);
+ exec("ps2pdf ".escapeshellarg($doc_path)." ".escapeshellarg($temp_file), $output, $ret_val);
if (0 !== $ret_val) { // shell fail, probably 127 (command not found)
return false;
}
exec("pdftotext $temp_file -", $output, $ret_val);
unlink($temp_file);
break;
case 'application/msword':
- exec("catdoc $doc_path", $output, $ret_val);
+ exec("catdoc ".escapeshellarg($doc_path), $output, $ret_val);
break;
case 'text/html':
- exec("html2text $doc_path", $output, $ret_val);
+ exec("html2text ".escapeshellarg($doc_path), $output, $ret_val);
break;
case 'text/rtf':
// Note: correct handling of code pages in unrtf
// on debian lenny unrtf v0.19.2 can not, but unrtf v0.20.5 can
- exec("unrtf --text $doc_path", $output, $ret_val);
+ exec("unrtf --text ".escapeshellarg($doc_path), $output, $ret_val);
if (127 == $ret_val) { // command not found
Source: GitHub Commit Update
Detection Methods for CVE-2026-35196
Indicators of Compromise
- Unusual process spawning from the web server process (Apache/Nginx worker processes executing unexpected commands)
- Suspicious entries in web server access logs targeting /main/inc/ajax/gradebook.ajax.php with the export_all_certificates action
- Session manipulation attempts or anomalous session data containing shell metacharacters (;, |, &&, `, $())
- Unexpected outbound network connections originating from the web server
- Evidence of file system reconnaissance or credential harvesting activities
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing shell metacharacters in session-related parameters
- Monitor web server processes for child process creation with unusual command-line arguments
- Deploy file integrity monitoring on critical Chamilo LMS files and configuration directories
- Enable verbose logging on the Chamilo LMS application and correlate with system command execution logs
Monitoring Recommendations
- Configure SIEM alerts for patterns of gradebook AJAX endpoint access with anomalous parameters
- Monitor for signs of post-exploitation activity such as new user account creation, privilege changes, or database modifications
- Implement endpoint detection and response (EDR) monitoring on servers hosting Chamilo LMS
- Review audit logs for any unauthorized certificate export activities or mass data access patterns
How to Mitigate CVE-2026-35196
Immediate Actions Required
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
- If immediate upgrade is not possible, restrict access to the gradebook AJAX endpoint through web server configuration
- Implement additional network segmentation to limit the blast radius of potential compromise
- Review server logs for any evidence of exploitation attempts
Patch Information
The vulnerability has been fixed in Chamilo LMS version 2.0.0-RC.3. The patch applies escapeshellarg() sanitization to all user-influenced data before it is passed to shell execution functions. Organizations should upgrade to this version or later as soon as possible.
For detailed patch information, refer to:
Workarounds
- Restrict access to /main/inc/ajax/gradebook.ajax.php using web server access controls until patching is complete
- Implement strict input validation at the web server or WAF level to filter shell metacharacters
- Disable the certificate export functionality temporarily if it is not critical to operations
- Run the web server with minimal privileges and in a containerized or sandboxed environment to limit the impact of potential exploitation
# Apache configuration to restrict access to vulnerable endpoint
<Location "/main/inc/ajax/gradebook.ajax.php">
Order deny,allow
Deny from all
# Allow only from trusted admin IPs if certificate export is needed
# Allow from 192.168.1.0/24
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
