CVE-2026-31940
Session Fixation in Chamilo LMS via User-Controlled PHP Session ID
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, where an attacker can take over a victim's authenticated session. This may result in unauthorized access to the victim's account and data.
If the victim has administrative privileges, the attacker could escalate their privileges, gaining full control over the victim's account and potentially the entire system.
The impacts include confidentiality, integrity, and availability being compromised, as indicated by the high CVSS impact scores.
Can you explain this vulnerability to me?
CVE-2026-31940 is a high-severity Session Fixation vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The issue occurs because user-controlled request parameters are directly used to set the PHP session ID before the global bootstrap and authentication processes. Specifically, the application uses parameters like 'aicc_sid' or 'session_id' to set the session ID via session_id() in the file main/lp/aicc_hacp.php, which allows an attacker to supply a predefined session ID.
This vulnerability enables an attacker to fix a session ID and force a victim to use it, leading to session fixation. As a result, the attacker can hijack the victim's session, potentially leading to account takeover and privilege escalation, especially if the victim has administrative rights.
The vulnerability is classified under CWE-384 (Session Fixation) and has a CVSS v3.1 base score of 7.5 (High severity).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your Chamilo LMS installation is running a vulnerable version (prior to 1.11.38) and if the vulnerable file `/main/lp/aicc_hacp.php` is present and active.
You can check the Chamilo LMS version by inspecting the application or its version files.
To detect exploitation attempts or presence of the vulnerability on your system or network, monitor HTTP requests to the endpoint `/main/lp/aicc_hacp.php` that include user-controlled parameters such as `aicc_sid` or `session_id`.
Example commands to detect such requests in web server logs (assuming Apache logs):
- grep 'aicc_sid' /var/log/apache2/access.log
- grep 'session_id' /var/log/apache2/access.log
- grep '/main/lp/aicc_hacp.php' /var/log/apache2/access.log
Additionally, you can scan your codebase or deployment for the presence of the vulnerable file and the usage of `session_id($_REQUEST[...])` in `/main/lp/aicc_hacp.php`.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Chamilo LMS to version 1.11.38 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, you should disable or remove the vulnerable AICC HACP functionality by disabling or deleting the `/main/lp/aicc_hacp.php` file, as the Chamilo project has deprecated and disabled AICC support to mitigate this issue.
Additional recommended mitigations include:
- Remove direct usage of `session_id($_REQUEST[...])` in the vulnerable file.
- Regenerate the session ID after authentication using `session_regenerate_id(true)`.
- Harden session handling by enforcing `session.use_strict_mode=1` and setting secure cookie flags such as `HttpOnly`, `Secure`, and `SameSite`.
- Reject externally supplied session identifiers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The session fixation vulnerability in Chamilo LMS allows an attacker to hijack user sessions, potentially leading to account takeover and unauthorized access to sensitive user data.
Such unauthorized access and compromise of user accounts can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over user data confidentiality and integrity.
Specifically, the vulnerability impacts confidentiality, integrity, and availability of data (all rated high in CVSS), which are core principles in these regulations.
Failure to address this vulnerability could lead to non-compliance with these standards due to potential data breaches and unauthorized data access.
The recommended fixes, including removing direct session ID setting from user input, regenerating session IDs after authentication, and enforcing secure session handling, help restore compliance by protecting session integrity and user data security.