CVE-2026-3110
IDOR Vulnerability in Campus Educativa Exposes User Data
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) found in Campus Educativa at a specific endpoint used to export user data enrolled in courses.
An unauthenticated attacker can exploit this by manipulating the URL parameter that identifies the course ID and performing a brute-force attack to access data of all users enrolled in different courses.
The exposed data includes usernames, first and last names, email addresses, and phone numbers.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized access to sensitive user information without any authentication.
This could result in privacy breaches, identity theft, phishing attacks, and other malicious activities targeting the exposed users.
Since the attacker can retrieve data of all users enrolled in courses, the scale of impact can be significant.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know