Compliance Impact

This vulnerability compromises compliance with data protection regulations such as GDPR and FERPA by allowing unauthorized access to sensitive personal and educational data.

Exposing user learning progress, certificates, and gradebook scores without proper authorization violates principles of data confidentiality and privacy mandated by these regulations.

Organizations using vulnerable versions of Chamilo LMS risk non-compliance penalties and reputational damage due to failure to adequately protect user data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33141 is an Insecure Direct Object Reference (IDOR) vulnerability in the Chamilo LMS REST API stats endpoint. It allows any authenticated user, including low-privilege users such as students, to access sensitive learning data of other users without proper authorization. This includes reading another user's learning progress, certificates, and gradebook scores for any course, even if the requester is not enrolled or supervising that user.

The vulnerability exists because the API endpoint does not perform adequate permission checks to verify whether the requesting user is authorized to view the requested data. Instead, it only checks if the user is authenticated, failing to confirm ownership or supervisory rights over the data.

This issue was fixed by adding comprehensive access control logic that enforces permission checks based on user roles, course enrollment, and supervisory relationships.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive educational information. Any authenticated user can read other users' learning progress, certificates, and gradebook scores without permission.

Such unauthorized access can result in privacy violations, exposure of personal and academic data, and potential misuse of this information.

Additionally, the vulnerability enables mass data extraction and user enumeration, increasing the risk of large-scale data breaches.

The vulnerability has a CVSS v3.1 base score of 6.5, indicating moderate severity, with high impact on confidentiality but no impact on integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring API requests to the Chamilo LMS REST API stats endpoint, specifically GET requests to the path /api/users/{id}/courses/{courseId}/stats/{metric}.

Suspicious activity includes authenticated users accessing statistics data for other users without proper enrollment or supervisory roles.

To detect exploitation attempts, you can search your web server or application logs for requests matching the vulnerable endpoint pattern.

• Example command to search logs for suspicious API calls (assuming Apache logs):
• grep "/api/users/.*/courses/.*/stats/" /var/log/apache2/access.log
• You can also filter for requests made by low-privilege users or unusual user IDs to identify unauthorized access attempts.

Additionally, monitoring for abnormal patterns such as a single user querying multiple other users' statistics can indicate exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the vulnerability is fixed.

If immediate upgrade is not possible, restrict access to the vulnerable API endpoint by implementing network-level controls such as firewall rules or API gateway policies to limit access to trusted users only.

Review and monitor user activity on the /api/users/{id}/courses/{courseId}/stats/{metric} endpoint to detect and block unauthorized access.

Consider applying custom patches or temporary access control logic in the GetStatsAction controller to enforce proper authorization checks as described in the fix.

Useful 0 Not Useful 0