CVE-2026-40291 Overview
CVE-2026-40291 is a privilege escalation vulnerability in Chamilo LMS, an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN.
Critical Impact
Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings.
Affected Products
- Chamilo LMS versions prior to 2.0.0-RC.3
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-40291 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-40291
Vulnerability Analysis
This vulnerability falls under CWE-269 (Improper Privilege Management) and represents a vertical privilege escalation flaw. The root issue lies in the insufficient authorization controls within the Chamilo LMS API. While the application properly verifies that a user owns a record before allowing modifications, it fails to restrict which fields can be modified. This architectural oversight allows low-privileged users to modify security-critical fields that should be immutable or restricted to administrators only.
The vulnerability is classified as a network-accessible attack requiring low privileges and no user interaction. An attacker needs only basic authentication as a student to exploit this flaw. Once exploited, the attacker gains complete control over the learning management system, compromising confidentiality, integrity, and availability of the entire platform.
Root Cause
The vulnerability stems from two compounding issues in the API design. First, the roles field is incorrectly included in the writable serialization group for user entities, making it accessible for modification via API requests. Second, the security expression is_granted('EDIT', object) only validates ownership of the user record rather than implementing field-level access controls. This allows any authenticated user to modify their own roles field and assign themselves administrative privileges.
Attack Vector
The attack can be executed remotely over the network by any authenticated user with student-level access. An attacker authenticates to the Chamilo LMS platform with valid credentials, then sends a crafted PUT request to the /api/users/{id} endpoint where {id} corresponds to their own user ID. The request body includes a modified roles array containing ROLE_ADMIN. Since the API only validates record ownership and not field-level permissions, the request succeeds and the attacker's account is elevated to administrator status. From this point, the attacker has unrestricted access to all platform functionality, including student data, grades, course content, and system configuration.
The attack requires minimal technical sophistication and can be performed using standard HTTP tools or browser developer consoles. No proof-of-concept code is publicly available, but the exploitation methodology is straightforward for anyone with basic API knowledge.
Detection Methods for CVE-2026-40291
Indicators of Compromise
- Unexpected changes to user roles fields in the database, particularly students elevated to ROLE_ADMIN
- API audit logs showing PUT requests to /api/users/{id} endpoints containing roles modifications
- New administrator accounts appearing without corresponding administrative actions in system logs
- Unauthorized access to administrative interfaces from accounts previously limited to student roles
Detection Strategies
- Implement API request logging and monitor for PUT requests to user endpoints that include roles field modifications
- Create database triggers or audit mechanisms to alert on changes to user role assignments
- Deploy web application firewall (WAF) rules to flag or block requests containing role elevation attempts in user API endpoints
- Correlate authentication logs with administrative action logs to identify privilege escalation patterns
Monitoring Recommendations
- Enable detailed API access logging capturing full request bodies for user modification endpoints
- Configure SIEM rules to detect sequential patterns of user authentication followed by immediate privilege changes
- Implement anomaly detection for administrative actions performed by recently-created or recently-modified user accounts
- Establish baseline behavior patterns for API usage and alert on deviations involving sensitive endpoints
How to Mitigate CVE-2026-40291
Immediate Actions Required
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
- Audit all user accounts to identify any unauthorized privilege escalations that may have already occurred
- Review API access logs for evidence of exploitation attempts targeting the /api/users/{id} endpoint
- Consider temporarily restricting API access while applying the patch in high-security environments
Patch Information
This vulnerability has been fixed in Chamilo LMS version 2.0.0-RC.3. The fix implements proper field-level access controls to prevent modification of security-critical fields like roles by non-administrative users. Administrators should upgrade to the patched version immediately. For detailed release information, see the GitHub Release v2.0.0-RC.3. Additional vulnerability details are available in the GitHub Security Advisory GHSA-7phx-w897-4c9x.
Workarounds
- Implement a reverse proxy or WAF rule to block PUT requests to /api/users/{id} endpoints containing the roles field
- Disable or restrict access to the REST API entirely until patching is complete
- Implement network-level access controls to limit API access to trusted administrative networks only
- Add custom middleware to validate and strip sensitive fields from user modification requests
# Example WAF/nginx rule to block role modification attempts (temporary mitigation)
# Add to nginx configuration before applying the official patch
location ~ ^/api/users/[0-9]+$ {
if ($request_body ~* "roles") {
return 403;
}
proxy_pass http://chamilo_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
