CVE-2026-33702
IDOR Vulnerability in Chamilo LMS Allows Progress Manipulation
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33702 is an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability exists in the Learning Path progress saving endpoint, specifically in the file lp_ajax_save_item.php.
The issue arises because the endpoint accepts a user ID parameter (uid) directly from the HTTP request without verifying that the requesting user is authorized to modify the specified user's Learning Path progress. This means any authenticated user enrolled in a course can manipulate the uid parameter to overwrite another user's Learning Path progress data, including score, status, completion, and time.
The root cause is that the code uses the uid parameter from the request instead of the authenticated user's ID, allowing unauthorized access and modification of other users' progress data.
The vulnerability was fixed by changing the code to always use the authenticated user's ID obtained via a secure function call, preventing unauthorized modification.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user enrolled in a course to overwrite another user's Learning Path progress data, including score, status, completion, and time, without proper authorization checks.
This unauthorized modification of another user's data compromises data integrity, which could negatively impact compliance with standards and regulations that require data accuracy and integrity, such as GDPR and HIPAA.
Although there is no direct confidentiality breach or data disclosure, the ability to alter user data without authorization may violate principles of data protection and user consent mandated by these regulations.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user enrolled in a course to maliciously alter another user's Learning Path progress data.
- An attacker can overwrite another user's score, status, completion, and time in the Learning Path.
- This compromises the integrity of user progress data within the LMS.
- There is no confidentiality impact, meaning no unauthorized data disclosure occurs.
- The availability impact is low.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the Learning Path progress saving endpoint, specifically looking for HTTP requests to the file `lp_ajax_save_item.php` that include a `uid` parameter different from the authenticated user's ID.
You can use network traffic inspection tools or web server logs to identify suspicious requests where the `uid` parameter is manipulated.
Example commands to detect such activity could include:
- Using grep on web server logs to find requests with the `uid` parameter: `grep 'lp_ajax_save_item.php' /var/log/apache2/access.log | grep 'uid='`
- Using a packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to `lp_ajax_save_item.php` and inspect the `uid` parameter.
- Using intrusion detection system (IDS) rules to alert on requests where the `uid` parameter does not match the authenticated session user.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0-RC.3 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, you should apply the patch that removes the use of the user-supplied `uid` parameter and instead uses the authenticated user's ID obtained via `api_get_user_id()` in the `lp_ajax_save_item.php` file.
Additionally, restrict access to the vulnerable endpoint to only authorized users and monitor logs for suspicious activity involving the `uid` parameter.
Ensure that proper authorization checks are in place to verify that the user modifying the Learning Path progress is the owner of that data or a platform administrator.