CVE-2026-33703
IDOR Vulnerability in Chamilo LMS Exposes User Data
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to mass disclosure of Personally Identifiable Information (PII) including usernames, emails, phone numbers, physical addresses, and other sensitive personal data. Such exposure of sensitive user information and credentials constitutes a significant data breach.
The unauthorized access and leakage of PII and credentials can result in non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over personal data confidentiality and integrity.
Because the vulnerability allows any authenticated user to access arbitrary users' full personal data and API tokens without proper authorization checks, it undermines the principles of data minimization and access control required by these standards.
Therefore, exploitation of this vulnerability could lead to regulatory penalties, legal liabilities, and loss of user trust due to failure to adequately protect sensitive personal information.
Can you explain this vulnerability to me?
CVE-2026-33703 is a critical Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS versions up to 2.0-RC.2. It exists in the /social-network/personal-data/{userId} endpoint, where the application fails to properly verify if the authenticated user is authorized to access the requested personal data. Instead, it only checks if the user has a general user role, without confirming ownership or administrative rights.
Because of this flaw, any authenticated user can modify the userId parameter to access the full personal data and API tokens of other users. This includes sensitive information such as usernames, emails, phone numbers, physical addresses, gender, locale, timezone, biographies, last login timestamps, user roles, and API tokens.
This vulnerability results from broken object level authorization (BOLA) and allows mass disclosure of sensitive user information and credentials, enabling a full platform data breach. It was fixed in version 2.0-RC.3.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive personal data and API tokens of any user on the platform.
- Mass disclosure of Personally Identifiable Information (PII) such as emails, phone numbers, physical addresses, and more.
- Leakage of critical credentials like API tokens, which can be used to further compromise the platform.
- User enumeration and identification of privileged accounts, including administrators.
- Potential full platform data breach due to the ability to access arbitrary user data without proper authorization.
Exploitation requires only low-privileged authenticated access and can be automated easily due to lack of rate limiting or monitoring.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing access to the `/social-network/personal-data/{userId}` endpoint while authenticated as a low-privileged user.
A practical detection method is to authenticate as a normal user and attempt to access personal data by modifying the `userId` parameter in the URL to other users' IDs.
For example, using curl commands to test access:
- Authenticate and obtain a session cookie or token.
- Use curl to request personal data for your own user ID: `curl -b cookie.txt https://your-chamilo-instance/social-network/personal-data/yourUserId`
- Modify the userId parameter to another user's ID: `curl -b cookie.txt https://your-chamilo-instance/social-network/personal-data/otherUserId`
If the response returns full personal data and API tokens of the other user, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict access to the `/social-network/personal-data/{userId}` endpoint to only trusted users or administrators if possible.
Additionally, monitor logs for unusual access patterns to this endpoint, especially requests with varying userId parameters from the same authenticated user.
Implement network-level controls such as IP whitelisting or rate limiting to reduce the risk of automated mass exploitation.