CVE-2026-1106
Unknown Unknown - Not Provided
Improper Authorization in Chamilo LMS Legal Consent Handler

Publication date: 2026-01-18

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-18
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1106
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms to 2.0.0 (exc)
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1106 is an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS up to version 2.0.0 Beta 1, specifically in the Legal Consent Handler component within the SocialController.php file. The vulnerability occurs because the application improperly authorizes requests that manipulate the userId parameter in certain POST endpoints, such as deleteLegal. This allows an authenticated attacker with low privileges to perform unauthorized actions on other users' legal consent and privacy-related data, like deleting or modifying legal consent records without permission. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to delete or modify other users' legal consent records, potentially forcing users to re-accept terms or causing account access issues. It can also enable attackers to submit privacy requests or mark users as having accepted legal terms without their consent. The integrity of legal consent data is compromised, which may lead to loss of user trust, disruption of service availability, and legal risks due to compromised consent audit trails. [1, 2, 3]

Compliance Impact

The vulnerability poses a significant risk to compliance with data protection regulations such as GDPR because it allows unauthorized modification or deletion of users' legal consent records. This compromises the integrity and auditability of consent data, which is critical for demonstrating compliance. Unauthorized changes to consent records can lead to violations of user privacy rights and regulatory requirements, increasing legal and business risks. [2]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to specific endpoints such as `/social-network/delete-legal`, `/social-network/send-legal-term`, and `/social-network/handle-privacy-request` where the `userId` parameter is manipulated. Additionally, vulnerable targets can be identified using Google dorking with queries like `inurl:src/CoreBundle/Controller/SocialController.php`. Network monitoring tools or web application firewalls can be configured to alert on suspicious POST requests to these endpoints with unusual `userId` values. Specific commands are not provided in the resources. [2, 3]

Mitigation Strategies

Immediate mitigation steps include replacing the user-controlled `userId` parameter with the authenticated user's ID to ensure users can only operate on their own data. Alternatively, implement strict authorization checks that allow operations on other users' data only if the authenticated user has administrative privileges. Since no official patch or fix has been published, consider restricting access to the affected endpoints and monitoring for suspicious activity. If possible, consider replacing the affected product with an alternative until a fix is available. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart