CVE-2026-30876
Received Received - Intake
User Enumeration Vulnerability in Chamilo LMS Before

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30876
EUVD
EUVD-2026-12498
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.36 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30876 is a user enumeration vulnerability in Chamilo LMS versions up to 1.11.34. The vulnerability occurs because the system responds differently to requests with valid usernames compared to invalid ones. This difference in responses allows an attacker to determine whether a specific username exists in the system without authorization.

This issue is classified under CWE-204 (Observable Response Discrepancy) and was fixed in version 1.11.36 of Chamilo LMS.

Impact Analysis

This vulnerability allows an attacker to enumerate valid usernames in the Chamilo LMS system by observing differences in system responses. Knowing valid usernames can facilitate further attacks such as targeted phishing, brute force password attempts, or social engineering.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the responses from the Chamilo LMS application when submitting requests with different usernames. Specifically, sending requests with valid and invalid usernames and comparing the responses can reveal distinguishable differences that indicate user enumeration.'}, {'type': 'paragraph', 'content': 'For example, you can use command-line tools like curl to send HTTP requests with different usernames and analyze the responses for discrepancies.'}, {'type': 'list_item', 'content': 'curl -i -X POST -d "username=valid_username" https://your-chamilo-instance/login'}, {'type': 'list_item', 'content': 'curl -i -X POST -d "username=invalid_username" https://your-chamilo-instance/login'}, {'type': 'paragraph', 'content': 'By comparing the HTTP status codes, response bodies, or response times between these requests, you can detect if the application is leaking information about the validity of usernames.'}] [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Chamilo LMS to version 1.11.36 or later, where the issue has been patched.

Until the upgrade can be performed, consider implementing generic error messages that do not reveal whether a username is valid or invalid, to reduce the risk of user enumeration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart