CVE-2026-33703
Received Received - Intake
IDOR Vulnerability in Chamilo LMS Exposes User Data

Publication date: 2026-04-10

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33703
EUVD
EUVD-2026-21543
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability leads to mass disclosure of Personally Identifiable Information (PII) including usernames, emails, phone numbers, physical addresses, and other sensitive personal data. Such exposure of sensitive user information and credentials constitutes a significant data breach.

The unauthorized access and leakage of PII and credentials can result in non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over personal data confidentiality and integrity.

Because the vulnerability allows any authenticated user to access arbitrary users' full personal data and API tokens without proper authorization checks, it undermines the principles of data minimization and access control required by these standards.

Therefore, exploitation of this vulnerability could lead to regulatory penalties, legal liabilities, and loss of user trust due to failure to adequately protect sensitive personal information.

Executive Summary

CVE-2026-33703 is a critical Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS versions up to 2.0-RC.2. It exists in the /social-network/personal-data/{userId} endpoint, where the application fails to properly verify if the authenticated user is authorized to access the requested personal data. Instead, it only checks if the user has a general user role, without confirming ownership or administrative rights.

Because of this flaw, any authenticated user can modify the userId parameter to access the full personal data and API tokens of other users. This includes sensitive information such as usernames, emails, phone numbers, physical addresses, gender, locale, timezone, biographies, last login timestamps, user roles, and API tokens.

This vulnerability results from broken object level authorization (BOLA) and allows mass disclosure of sensitive user information and credentials, enabling a full platform data breach. It was fixed in version 2.0-RC.3.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive personal data and API tokens of any user on the platform.

  • Mass disclosure of Personally Identifiable Information (PII) such as emails, phone numbers, physical addresses, and more.
  • Leakage of critical credentials like API tokens, which can be used to further compromise the platform.
  • User enumeration and identification of privileged accounts, including administrators.
  • Potential full platform data breach due to the ability to access arbitrary user data without proper authorization.

Exploitation requires only low-privileged authenticated access and can be automated easily due to lack of rate limiting or monitoring.

Detection Guidance

This vulnerability can be detected by monitoring and testing access to the `/social-network/personal-data/{userId}` endpoint while authenticated as a low-privileged user.

A practical detection method is to authenticate as a normal user and attempt to access personal data by modifying the `userId` parameter in the URL to other users' IDs.

For example, using curl commands to test access:

  • Authenticate and obtain a session cookie or token.
  • Use curl to request personal data for your own user ID: `curl -b cookie.txt https://your-chamilo-instance/social-network/personal-data/yourUserId`
  • Modify the userId parameter to another user's ID: `curl -b cookie.txt https://your-chamilo-instance/social-network/personal-data/otherUserId`

If the response returns full personal data and API tokens of the other user, the vulnerability is present.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the `/social-network/personal-data/{userId}` endpoint to only trusted users or administrators if possible.

Additionally, monitor logs for unusual access patterns to this endpoint, especially requests with varying userId parameters from the same authenticated user.

Implement network-level controls such as IP whitelisting or rate limiting to reduce the risk of automated mass exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart