CVE-2026-32892
OS Command Injection in Chamilo LMS File Move Function
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with teacher-level privileges to execute arbitrary OS commands remotely, resulting in a complete compromise of confidentiality, integrity, and availability of the affected system.
Such a compromise can lead to unauthorized access and exfiltration of sensitive data including database credentials, user data, grades, and documents.
Because of this, the vulnerability poses significant risks to compliance with data protection regulations and standards such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.
Failure to remediate this vulnerability could result in violations of these regulations due to potential data breaches and loss of data integrity.
Can you explain this vulnerability to me?
CVE-2026-32892 is a critical OS Command Injection vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability exists in the move() function within the fileManage.lib.php file, where user-supplied path parameters are passed directly into shell commands executed via PHP's exec() without proper escaping. Specifically, the move_to POST parameter is only filtered by an HTML-focused function and then concatenated into shell commands like exec("mv $source $target"), allowing injection of arbitrary OS commands.
Any authenticated user with a teacher role can exploit this vulnerability by first creating a directory with shell metacharacters in its name (possible via Course Backup Import), then moving a document into this directory to trigger arbitrary command execution as the web server user (www-data). This leads to remote code execution without user interaction.
How can this vulnerability impact me? :
This vulnerability allows an attacker with teacher-level privileges to execute arbitrary OS commands remotely on the server running Chamilo LMS. The impact includes full remote code execution (RCE), which can lead to complete compromise of the system's confidentiality, integrity, and availability.
- Execution of arbitrary commands as the web server user (www-data).
- Compromise of the server, including access to sensitive data such as database credentials, user data, grades, and documents.
- Lateral movement within internal networks.
- Establishment of persistence through backdoors or cron jobs.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves OS command injection through unsanitized shell command execution in Chamilo LMS, specifically via the move() function and related exec() calls. Detection can focus on monitoring for unusual or unauthorized shell command executions initiated by the web server user (www-data), especially commands involving 'mv' or other file operations with suspicious parameters.
To detect exploitation attempts, you can monitor web server logs for POST requests to document.php with the 'move_to' parameter containing shell metacharacters or suspicious directory names.
Additionally, monitoring process executions or command histories for exec or shell_exec calls with unescaped arguments related to file moves or document handling can help identify exploitation.
Example commands to help detect suspicious activity might include:
- Check web server access logs for suspicious POST requests: grep 'document.php' /var/log/apache2/access.log | grep 'move_to='
- Monitor running processes for suspicious mv commands executed by www-data: ps -u www-data -o pid,cmd | grep mv
- Audit shell command executions by the web server user using auditd or similar tools to detect exec or shell_exec calls with unusual arguments.
- Look for directories with shell metacharacters in their names created via Course Backup Import or other means.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patches that sanitize all shell command inputs using PHP's escapeshellarg() function to prevent command injection.
Specifically, update Chamilo LMS to version 1.11.38 or later (or 2.0.0-RC.3 or later) where the vulnerability is fixed.
If immediate patching is not possible, restrict access to the affected functionality by limiting teacher role permissions or disabling course creation and document moving features temporarily.
Implement strict access control checks to ensure only authorized users can execute file move operations.
Consider replacing shell command executions with PHP-native or Symfony Filesystem functions to eliminate the command injection attack surface.
Monitor and audit system logs for suspicious activity related to this vulnerability until the patch is applied.