CVE-2026-33698
Unauthorized File Modification via PHP Code Execution in Chamilo LMS
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.38 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33698 is a critical unauthenticated remote code execution (RCE) vulnerability in Chamilo LMS versions up to 1.11.36. It exists in the main/install/ directory, which if still present and accessible, allows an attacker to execute PHP code remotely without authentication.
The vulnerability arises because the installer blindly assigns all POST parameters to global variables, enabling attackers to inject arbitrary PHP code into the configuration file (configuration.php). This can lead to modification or creation of files within system permissions.
It only affects portals where the main/install/ directory is still present and readable. The vulnerability is fixed in version 1.11.38 by restricting POST parameters to a whitelist, escaping user inputs, blocking re-installation if already installed, and sanitizing inputs.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary PHP code on the affected Chamilo LMS system.
As a result, the attacker can modify existing files or create new files within the permissions allowed by the system, potentially compromising the integrity and availability of the portal.
Such a compromise can lead to full system control, unauthorized data access, data manipulation, or service disruption.
If exploited, administrators should check for unauthorized changes, especially in configuration files that control database credentials and security keys.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Chamilo LMS installations where the main/install/ directory is still present and readable. Detection involves checking if this directory exists and is accessible on your system.
- Check if the main/install/ directory exists and is readable on your Chamilo LMS installation.
- Look for unauthorized modifications, especially in the app/config/configuration.php file.
- Specifically, inspect configuration.php for suspicious changes such as unexpected file write functions (e.g., file_put_contents()), altered database host and credentials, or changes to the security key ($_configuration['security_key']).
Suggested commands to detect the vulnerability or signs of exploitation include:
- On the server, run: `ls -ld /path/to/chamilo/main/install/` to check if the directory exists and is readable.
- Check for recent changes in configuration.php: `stat /path/to/chamilo/app/config/configuration.php` or `ls -l --time=ctime /path/to/chamilo/app/config/configuration.php`.
- Search for suspicious file write functions in configuration.php: `grep -E 'file_put_contents|fwrite' /path/to/chamilo/app/config/configuration.php`.
- Review the contents of configuration.php for unexpected or suspicious entries related to database credentials or security keys.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-33698 include:
- Update Chamilo LMS to version 1.11.38 or later, where the vulnerability is fixed.
- If updating is not immediately possible, delete the main/install/ directory from your Chamilo LMS installation if it is not required for system operation. This is a recommended workaround.
- Check for and remediate any unauthorized modifications, especially in the app/config/configuration.php file.
- Apply the patch identified as d3355d7 which restricts POST parameters, blocks re-installation if configuration.php exists, and escapes user inputs to prevent code injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33698 is a critical unauthenticated remote code execution vulnerability that allows attackers to modify or create files on affected Chamilo LMS installations if the main/install/ directory is present and accessible.
Such unauthorized access and modification can lead to a full compromise of system data and service availability, which may result in exposure or alteration of sensitive personal data managed by the LMS.
This level of compromise can negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal data confidentiality, integrity, and availability.
Organizations using vulnerable versions of Chamilo LMS risk violating these standards if the vulnerability is exploited, as it undermines the security controls necessary to safeguard sensitive information.
Mitigation by updating to version 1.11.38 or later, or removing the vulnerable directory, is essential to maintain compliance and reduce risk.