CVE-2026-32931
Unrestricted File Upload in Chamilo LMS Enables Remote Code Execution
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32931 is a high-severity vulnerability in Chamilo LMS affecting versions prior to 1.11.38 and 2.0.0-RC.3. It arises from an unrestricted file upload flaw in the exercise sound upload function, where an authenticated teacher can upload a malicious PHP webshell by spoofing the Content-Type header to appear as audio/mpeg.
The vulnerability exists because the system only checks the client-supplied Content-Type header for 'audio' or 'video' strings without validating the actual file content or extension. This allows uploading files with dangerous extensions like .php, which are saved in a web-accessible directory, enabling Remote Code Execution (RCE) as the web server user.
Additionally, there is no sanitization or path normalization of the uploaded filename, allowing potential path traversal attacks. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated teacher to upload a PHP webshell, leading to Remote Code Execution on the server. This can result in unauthorized access to sensitive files such as /etc/passwd and .env files containing database credentials, potentially leading to full server compromise and lateral movement within the system.
Such unauthorized access and potential data breaches could violate common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. The ability to read sensitive configuration and user data, and to execute arbitrary code, undermines confidentiality, integrity, and availability of data, thereby impacting compliance.
Therefore, if exploited, this vulnerability could lead to non-compliance with data protection regulations due to exposure or compromise of sensitive information.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including Remote Code Execution on the server with the privileges of the web server user (www-data).
- Attackers can upload a PHP webshell, gaining persistent access to the server.
- They can read sensitive files such as /etc/passwd, .env files containing database credentials, and potentially /etc/shadow.
- Full server compromise is possible, allowing lateral movement within the network using exposed credentials.
- Path traversal vulnerabilities allow writing files outside the intended directories, increasing the attack surface.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of suspicious PHP files uploaded in the exercise sound upload directory, especially files with .php extensions that should not normally be there.
Since the vulnerability involves an authenticated teacher uploading a PHP webshell by spoofing the Content-Type header to audio/mpeg, monitoring HTTP requests for unusual Content-Type headers during file uploads can help detect exploitation attempts.
- Search for PHP files in the web-accessible audio upload directory, for example: find /path/to/chamilo/public/uploads/audio -name '*.php'
- Check web server logs for POST requests to the exercise sound upload endpoint with Content-Type headers set to audio/mpeg or other audio/video types but resulting in PHP file uploads.
- Use commands like grep to find suspicious upload attempts in logs: grep -i 'Content-Type: audio/mpeg' /var/log/apache2/access.log
- Look for files with suspicious names or path traversal patterns (e.g., ../../../evil.php) in the upload directories.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, restrict or disable the exercise sound upload functionality for authenticated teachers until a patch can be applied.
Manually remove any suspicious PHP files found in the web-accessible upload directories to prevent remote code execution.
Review and harden web server permissions to limit execution of uploaded files in the upload directories.
Monitor logs for suspicious upload activity and consider temporarily restricting authenticated user privileges related to file uploads.