CVE-2026-31940
Received Received - Intake
Session Fixation in Chamilo LMS via User-Controlled PHP Session ID

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31940
EUVD
EUVD-2026-21522
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (exc)
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to session hijacking, where an attacker can take over a victim's authenticated session. This may result in unauthorized access to the victim's account and data.

If the victim has administrative privileges, the attacker could escalate their privileges, gaining full control over the victim's account and potentially the entire system.

The impacts include confidentiality, integrity, and availability being compromised, as indicated by the high CVSS impact scores.

Executive Summary

CVE-2026-31940 is a high-severity Session Fixation vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The issue occurs because user-controlled request parameters are directly used to set the PHP session ID before the global bootstrap and authentication processes. Specifically, the application uses parameters like 'aicc_sid' or 'session_id' to set the session ID via session_id() in the file main/lp/aicc_hacp.php, which allows an attacker to supply a predefined session ID.

This vulnerability enables an attacker to fix a session ID and force a victim to use it, leading to session fixation. As a result, the attacker can hijack the victim's session, potentially leading to account takeover and privilege escalation, especially if the victim has administrative rights.

The vulnerability is classified under CWE-384 (Session Fixation) and has a CVSS v3.1 base score of 7.5 (High severity).

Detection Guidance

This vulnerability can be detected by identifying if your Chamilo LMS installation is running a vulnerable version (prior to 1.11.38) and if the vulnerable file `/main/lp/aicc_hacp.php` is present and active.

You can check the Chamilo LMS version by inspecting the application or its version files.

To detect exploitation attempts or presence of the vulnerability on your system or network, monitor HTTP requests to the endpoint `/main/lp/aicc_hacp.php` that include user-controlled parameters such as `aicc_sid` or `session_id`.

Example commands to detect such requests in web server logs (assuming Apache logs):

  • grep 'aicc_sid' /var/log/apache2/access.log
  • grep 'session_id' /var/log/apache2/access.log
  • grep '/main/lp/aicc_hacp.php' /var/log/apache2/access.log

Additionally, you can scan your codebase or deployment for the presence of the vulnerable file and the usage of `session_id($_REQUEST[...])` in `/main/lp/aicc_hacp.php`.

Mitigation Strategies

Immediate mitigation steps include upgrading Chamilo LMS to version 1.11.38 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, you should disable or remove the vulnerable AICC HACP functionality by disabling or deleting the `/main/lp/aicc_hacp.php` file, as the Chamilo project has deprecated and disabled AICC support to mitigate this issue.

Additional recommended mitigations include:

  • Remove direct usage of `session_id($_REQUEST[...])` in the vulnerable file.
  • Regenerate the session ID after authentication using `session_regenerate_id(true)`.
  • Harden session handling by enforcing `session.use_strict_mode=1` and setting secure cookie flags such as `HttpOnly`, `Secure`, and `SameSite`.
  • Reject externally supplied session identifiers.
Compliance Impact

The session fixation vulnerability in Chamilo LMS allows an attacker to hijack user sessions, potentially leading to account takeover and unauthorized access to sensitive user data.

Such unauthorized access and compromise of user accounts can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over user data confidentiality and integrity.

Specifically, the vulnerability impacts confidentiality, integrity, and availability of data (all rated high in CVSS), which are core principles in these regulations.

Failure to address this vulnerability could lead to non-compliance with these standards due to potential data breaches and unauthorized data access.

The recommended fixes, including removing direct session ID setting from user input, regenerating session IDs after authentication, and enforcing secure session handling, help restore compliance by protecting session integrity and user data security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart