CVE-2026-30876
User Enumeration Vulnerability in Chamilo LMS Before
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.36 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30876 is a user enumeration vulnerability in Chamilo LMS versions up to 1.11.34. The vulnerability occurs because the system responds differently to requests with valid usernames compared to invalid ones. This difference in responses allows an attacker to determine whether a specific username exists in the system without authorization.
This issue is classified under CWE-204 (Observable Response Discrepancy) and was fixed in version 1.11.36 of Chamilo LMS.
How can this vulnerability impact me? :
This vulnerability allows an attacker to enumerate valid usernames in the Chamilo LMS system by observing differences in system responses. Knowing valid usernames can facilitate further attacks such as targeted phishing, brute force password attempts, or social engineering.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the responses from the Chamilo LMS application when submitting requests with different usernames. Specifically, sending requests with valid and invalid usernames and comparing the responses can reveal distinguishable differences that indicate user enumeration.'}, {'type': 'paragraph', 'content': 'For example, you can use command-line tools like curl to send HTTP requests with different usernames and analyze the responses for discrepancies.'}, {'type': 'list_item', 'content': 'curl -i -X POST -d "username=valid_username" https://your-chamilo-instance/login'}, {'type': 'list_item', 'content': 'curl -i -X POST -d "username=invalid_username" https://your-chamilo-instance/login'}, {'type': 'paragraph', 'content': 'By comparing the HTTP status codes, response bodies, or response times between these requests, you can detect if the application is leaking information about the validity of usernames.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Chamilo LMS to version 1.11.36 or later, where the issue has been patched.
Until the upgrade can be performed, consider implementing generic error messages that do not reveal whether a username is valid or invalid, to reduce the risk of user enumeration.