CVE-2026-32932
Received Received - Intake
Open Redirect in Chamilo LMS Session Course Edit Page

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32932
EUVD
EUVD-2026-21534
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (exc)
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to redirect an authenticated administrator to an arbitrary external URL and leaks the id_session parameter to the attacker's server.

This leakage of session identifiers and the potential for phishing attacks could lead to unauthorized access or exposure of sensitive information, which may impact compliance with data protection regulations such as GDPR or HIPAA.

Because the redirect originates from a legitimate Chamilo URL, it can bypass security awareness measures, increasing the risk of credential harvesting and data breaches.

Executive Summary

CVE-2026-32932 is an Open Redirect vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. It occurs in the session course edit page where an attacker can manipulate the `page` parameter used in HTTP redirects after saving coach assignment changes.

The vulnerability arises because the application improperly validates and sanitizes the `page` parameter, allowing an attacker to redirect an authenticated administrator to an arbitrary external URL. Additionally, the `id_session` parameter is leaked to the attacker’s server via the redirect URL.

The root cause is that the original code used a function that only removed XSS-related content but did not restrict the redirect to internal pages, enabling external URLs to be used in redirects.

The vulnerability is fixed by introducing a whitelist of allowed pages, sanitizing the `page` parameter using PHP’s `basename()` function, validating it against the whitelist, and only redirecting to these safe pages.

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect authenticated administrators to malicious external websites after they perform routine administrative actions.

Because the redirect originates from a legitimate Chamilo LMS URL, it can bypass security awareness measures and be used in phishing attacks to harvest credentials by chaining with convincing login-page clones.

Additionally, the `id_session` parameter is leaked to the attacker’s server, potentially exposing session-related information.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.7, indicating a network attack vector with low complexity and no privileges required but requiring user interaction.

Detection Guidance

This vulnerability involves an Open Redirect in the Chamilo LMS session course edit page, where the `page` parameter in the URL is improperly validated, allowing redirection to arbitrary external URLs.

To detect this vulnerability on your system, you can check if your Chamilo LMS installation is running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).

You can also monitor HTTP traffic or logs for suspicious redirect patterns involving the `page` parameter redirecting to external URLs.

  • Use curl or wget to test the redirect behavior by sending a crafted request to the session course edit page with a malicious `page` parameter, for example:
  • curl -I 'https://your-chamilo-instance/main/session/session_course_edit.php?page=https://attacker.example/phishing&id_session=5'
  • Check the HTTP response headers for a Location header redirecting to an external URL.
  • Review web server access logs for requests to `session_course_edit.php` containing suspicious `page` parameters pointing to external domains.
Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to a fixed version, specifically version 1.11.38 or 2.0.0-RC.3 or later, where this vulnerability has been patched.

The patch involves strict validation and sanitization of the `page` parameter by implementing a whitelist of allowed pages and using PHP's basename() function to sanitize input, preventing unauthorized redirects.

If upgrading immediately is not possible, you can apply the patch manually by:

  • Implementing a whitelist of allowed pages (e.g., 'session_course_list.php' and 'resume_session.php') for the `page` parameter.
  • Sanitizing the `page` parameter using PHP's basename() function to strip directory paths.
  • Validating the sanitized `page` parameter against the whitelist and defaulting to a safe page if it does not match.
  • Using the sanitized and validated `page` parameter in the redirect header instead of the raw input.

Additionally, review and monitor administrative actions and educate administrators about phishing risks that could exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32932. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart