CVE-2026-1106
Improper Authorization in Chamilo LMS Legal Consent Handler
Publication date: 2026-01-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 2.0.0 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1106 is an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS up to version 2.0.0 Beta 1, specifically in the Legal Consent Handler component within the SocialController.php file. The vulnerability occurs because the application improperly authorizes requests that manipulate the userId parameter in certain POST endpoints, such as deleteLegal. This allows an authenticated attacker with low privileges to perform unauthorized actions on other users' legal consent and privacy-related data, like deleting or modifying legal consent records without permission. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to delete or modify other users' legal consent records, potentially forcing users to re-accept terms or causing account access issues. It can also enable attackers to submit privacy requests or mark users as having accepted legal terms without their consent. The integrity of legal consent data is compromised, which may lead to loss of user trust, disruption of service availability, and legal risks due to compromised consent audit trails. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability poses a significant risk to compliance with data protection regulations such as GDPR because it allows unauthorized modification or deletion of users' legal consent records. This compromises the integrity and auditability of consent data, which is critical for demonstrating compliance. Unauthorized changes to consent records can lead to violations of user privacy rights and regulatory requirements, increasing legal and business risks. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to specific endpoints such as `/social-network/delete-legal`, `/social-network/send-legal-term`, and `/social-network/handle-privacy-request` where the `userId` parameter is manipulated. Additionally, vulnerable targets can be identified using Google dorking with queries like `inurl:src/CoreBundle/Controller/SocialController.php`. Network monitoring tools or web application firewalls can be configured to alert on suspicious POST requests to these endpoints with unusual `userId` values. Specific commands are not provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the user-controlled `userId` parameter with the authenticated user's ID to ensure users can only operate on their own data. Alternatively, implement strict authorization checks that allow operations on other users' data only if the authenticated user has administrative privileges. Since no official patch or fix has been published, consider restricting access to the affected endpoints and monitoring for suspicious activity. If possible, consider replacing the affected product with an alternative until a fix is available. [2, 3]