CVE-2026-32931
Received Received - Intake
Unrestricted File Upload in Chamilo LMS Enables Remote Code Execution

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32931
EUVD
EUVD-2026-21531
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (exc)
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated teacher to upload a PHP webshell, leading to Remote Code Execution on the server. This can result in unauthorized access to sensitive files such as /etc/passwd and .env files containing database credentials, potentially leading to full server compromise and lateral movement within the system.

Such unauthorized access and potential data breaches could violate common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. The ability to read sensitive configuration and user data, and to execute arbitrary code, undermines confidentiality, integrity, and availability of data, thereby impacting compliance.

Therefore, if exploited, this vulnerability could lead to non-compliance with data protection regulations due to exposure or compromise of sensitive information.

Executive Summary

CVE-2026-32931 is a high-severity vulnerability in Chamilo LMS affecting versions prior to 1.11.38 and 2.0.0-RC.3. It arises from an unrestricted file upload flaw in the exercise sound upload function, where an authenticated teacher can upload a malicious PHP webshell by spoofing the Content-Type header to appear as audio/mpeg.

The vulnerability exists because the system only checks the client-supplied Content-Type header for 'audio' or 'video' strings without validating the actual file content or extension. This allows uploading files with dangerous extensions like .php, which are saved in a web-accessible directory, enabling Remote Code Execution (RCE) as the web server user.

Additionally, there is no sanitization or path normalization of the uploaded filename, allowing potential path traversal attacks. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).

Impact Analysis

This vulnerability can have severe impacts including Remote Code Execution on the server with the privileges of the web server user (www-data).

  • Attackers can upload a PHP webshell, gaining persistent access to the server.
  • They can read sensitive files such as /etc/passwd, .env files containing database credentials, and potentially /etc/shadow.
  • Full server compromise is possible, allowing lateral movement within the network using exposed credentials.
  • Path traversal vulnerabilities allow writing files outside the intended directories, increasing the attack surface.
Detection Guidance

This vulnerability can be detected by checking for the presence of suspicious PHP files uploaded in the exercise sound upload directory, especially files with .php extensions that should not normally be there.

Since the vulnerability involves an authenticated teacher uploading a PHP webshell by spoofing the Content-Type header to audio/mpeg, monitoring HTTP requests for unusual Content-Type headers during file uploads can help detect exploitation attempts.

  • Search for PHP files in the web-accessible audio upload directory, for example: find /path/to/chamilo/public/uploads/audio -name '*.php'
  • Check web server logs for POST requests to the exercise sound upload endpoint with Content-Type headers set to audio/mpeg or other audio/video types but resulting in PHP file uploads.
  • Use commands like grep to find suspicious upload attempts in logs: grep -i 'Content-Type: audio/mpeg' /var/log/apache2/access.log
  • Look for files with suspicious names or path traversal patterns (e.g., ../../../evil.php) in the upload directories.
Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, restrict or disable the exercise sound upload functionality for authenticated teachers until a patch can be applied.

Manually remove any suspicious PHP files found in the web-accessible upload directories to prevent remote code execution.

Review and harden web server permissions to limit execution of uploaded files in the upload directories.

Monitor logs for suspicious upload activity and consider temporarily restricting authenticated user privileges related to file uploads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart