Executive Summary

CVE-2026-33618 is a high-severity remote code execution (RCE) vulnerability in Chamilo LMS versions greater than 1.11.* up to 2.0-RC.2. The vulnerability exists in the PlatformConfigurationController::decodeSettingArray() method, which uses PHP's eval() function to parse platform settings retrieved from the database.

If an attacker has administrative access, they can inject arbitrary PHP code into the platform settings stored in the database. This injected code is then executed whenever any user, including unauthenticated users, accesses the /platform-config/list route, which does not require authentication.

The root cause is improper sanitization of user-controlled input before passing it to eval(), leading to arbitrary code execution under the web server user.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with admin access to execute arbitrary system commands on the server running Chamilo LMS.

• Full remote code execution under the www-data user.
• Ability to read sensitive files such as .env files containing database credentials.
• Establish reverse shells to maintain persistent access.
• Complete compromise of the server hosting the LMS.

Additionally, when combined with a prior vulnerability (Advisory 1), even a registered student user can escalate privileges to achieve full server compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves arbitrary PHP code injection into platform settings that are executed when the /platform-config/list route is accessed. Detection can focus on monitoring access to this route and inspecting platform settings for suspicious PHP code.

• Check web server logs for requests to /platform-config/list, especially from unusual or unauthorized sources.
• Query the database for the platform settings, particularly the catalog.course_catalog_settings value, to look for injected PHP code.
• Use commands to inspect the database settings, for example, using SQL queries like: SELECT * FROM platform_settings WHERE setting_key = 'catalog.course_catalog_settings';
• Look for suspicious PHP code patterns or eval() usage in the stored settings.
• Monitor for unexpected PHP execution or unusual system commands running under the www-data user.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the vulnerability is fixed by removing the unsafe eval() usage.

Until the upgrade can be applied, restrict administrative access to trusted users only, as the vulnerability requires admin privileges to inject malicious code.

Monitor and audit platform settings for any suspicious or unexpected PHP code injections.

Limit access to the /platform-config/list route if possible, or implement additional authentication or access controls.

Review and harden server permissions to minimize impact if exploitation occurs, such as restricting www-data user privileges.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with administrative access to inject and execute arbitrary PHP code on the server, leading to full remote code execution. Such a compromise can result in unauthorized access to sensitive data, including database credentials and potentially personal or protected information.

Because the vulnerability enables attackers to read sensitive files and fully compromise the server, it poses a significant risk to data confidentiality, integrity, and availability. This risk can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in violations of these standards due to potential data breaches and failure to maintain adequate security controls.

Useful 0 Not Useful 0