CVE-2026-29041
Authenticated Remote Code Execution in Chamilo LMS File Uploads
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to full system compromise. Attackers can execute arbitrary commands on the server, gain unauthorized access to sensitive data, modify or delete content, and disrupt services. This results in a complete loss of confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-29041 is a high-severity authenticated remote code execution vulnerability in Chamilo LMS versions up to 1.11.32. It arises from improper validation of uploaded files, where the system relies only on MIME-type verification, which can be bypassed by attackers. Specifically, malicious users can upload files that appear as images but contain executable PHP code. When a certain configuration is enabled, these files are saved with their original extensions in web-accessible directories, allowing attackers to execute arbitrary code on the server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of uploaded files with executable extensions such as .php, .phtml, or .phar in web-accessible directories used by Chamilo LMS, especially if the configuration option $_configuration['enable_uploadimage_editor'] is enabled."}, {'type': 'paragraph', 'content': 'You can also monitor HTTP requests to the endpoint main/inc/ajax/document.ajax.php with the ck_uploadimage action to identify suspicious file uploads.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potentially malicious files include:'}, {'type': 'list_item', 'content': 'Find files with executable extensions in the upload directory, for example: find /path/to/chamilo/uploads -type f \\( -name "*.php" -o -name "*.phtml" -o -name "*.phar" \\)'}, {'type': 'list_item', 'content': 'Check for files containing PHP code by searching for PHP tags: grep -r "<?php" /path/to/chamilo/uploads'}, {'type': 'list_item', 'content': 'Review web server logs for requests to uploaded files with suspicious extensions or unusual access patterns.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade Chamilo LMS to version 1.11.34 or later, where this vulnerability has been patched.'}, {'type': 'list_item', 'content': 'Enforce strict file extension allowlisting on uploaded files, accepting only safe image extensions such as .jpg, .png, and .gif, and rejecting executable extensions like .php, .phtml, or .phar regardless of MIME type.'}, {'type': 'list_item', 'content': 'Avoid relying solely on MIME-type validation; use MIME-type checks only as a secondary measure.'}, {'type': 'list_item', 'content': 'Store uploaded files outside of web-accessible directories or serve them through controlled handlers to prevent direct execution.'}, {'type': 'list_item', 'content': "If possible, disable the configuration option $_configuration['enable_uploadimage_editor'] to prevent saving files with original executable extensions."}] [1]