CVE-2026-33698
Received Received - Intake
Unauthorized File Modification via PHP Code Execution in Chamilo LMS

Publication date: 2026-04-10

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33698
EUVD
EUVD-2026-21539
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.38 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33698 is a critical unauthenticated remote code execution (RCE) vulnerability in Chamilo LMS versions up to 1.11.36. It exists in the main/install/ directory, which if still present and accessible, allows an attacker to execute PHP code remotely without authentication.

The vulnerability arises because the installer blindly assigns all POST parameters to global variables, enabling attackers to inject arbitrary PHP code into the configuration file (configuration.php). This can lead to modification or creation of files within system permissions.

It only affects portals where the main/install/ directory is still present and readable. The vulnerability is fixed in version 1.11.38 by restricting POST parameters to a whitelist, escaping user inputs, blocking re-installation if already installed, and sanitizing inputs.

Impact Analysis

This vulnerability allows an unauthenticated attacker to remotely execute arbitrary PHP code on the affected Chamilo LMS system.

As a result, the attacker can modify existing files or create new files within the permissions allowed by the system, potentially compromising the integrity and availability of the portal.

Such a compromise can lead to full system control, unauthorized data access, data manipulation, or service disruption.

If exploited, administrators should check for unauthorized changes, especially in configuration files that control database credentials and security keys.

Detection Guidance

This vulnerability affects Chamilo LMS installations where the main/install/ directory is still present and readable. Detection involves checking if this directory exists and is accessible on your system.

  • Check if the main/install/ directory exists and is readable on your Chamilo LMS installation.
  • Look for unauthorized modifications, especially in the app/config/configuration.php file.
  • Specifically, inspect configuration.php for suspicious changes such as unexpected file write functions (e.g., file_put_contents()), altered database host and credentials, or changes to the security key ($_configuration['security_key']).

Suggested commands to detect the vulnerability or signs of exploitation include:

  • On the server, run: `ls -ld /path/to/chamilo/main/install/` to check if the directory exists and is readable.
  • Check for recent changes in configuration.php: `stat /path/to/chamilo/app/config/configuration.php` or `ls -l --time=ctime /path/to/chamilo/app/config/configuration.php`.
  • Search for suspicious file write functions in configuration.php: `grep -E 'file_put_contents|fwrite' /path/to/chamilo/app/config/configuration.php`.
  • Review the contents of configuration.php for unexpected or suspicious entries related to database credentials or security keys.
Mitigation Strategies

Immediate mitigation steps for CVE-2026-33698 include:

  • Update Chamilo LMS to version 1.11.38 or later, where the vulnerability is fixed.
  • If updating is not immediately possible, delete the main/install/ directory from your Chamilo LMS installation if it is not required for system operation. This is a recommended workaround.
  • Check for and remediate any unauthorized modifications, especially in the app/config/configuration.php file.
  • Apply the patch identified as d3355d7 which restricts POST parameters, blocks re-installation if configuration.php exists, and escapes user inputs to prevent code injection.
Compliance Impact

CVE-2026-33698 is a critical unauthenticated remote code execution vulnerability that allows attackers to modify or create files on affected Chamilo LMS installations if the main/install/ directory is present and accessible.

Such unauthorized access and modification can lead to a full compromise of system data and service availability, which may result in exposure or alteration of sensitive personal data managed by the LMS.

This level of compromise can negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal data confidentiality, integrity, and availability.

Organizations using vulnerable versions of Chamilo LMS risk violating these standards if the vulnerability is exploited, as it undermines the security controls necessary to safeguard sensitive information.

Mitigation by updating to version 1.11.38 or later, or removing the vulnerable directory, is essential to maintain compliance and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart