CVE-2026-33705
Unauthorized Template File Access in Chamilo LMS Exposes Sensitive Data
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.38 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes internal application logic, variable names, AJAX endpoint URLs, and admin panel structure to unauthenticated users by allowing direct HTTP access to Twig template files. Such information disclosure can increase the risk of targeted attacks and unauthorized access attempts.
While the vulnerability itself does not directly disclose personal data or protected health information, the exposure of internal application details could facilitate attacks that might lead to breaches of sensitive data, potentially impacting compliance with standards like GDPR or HIPAA.
Therefore, this vulnerability indirectly affects compliance by increasing the risk of unauthorized access or data breaches, which are critical concerns under regulations such as GDPR and HIPAA.
Can you explain this vulnerability to me?
CVE-2026-33705 is an information disclosure vulnerability in Chamilo LMS versions up to 1.11.36. The issue occurs because 235 Twig template files (.tpl) located under /main/template/default/ are accessible via unauthenticated HTTP GET requests due to insufficient Apache configuration restrictions.
These template files expose sensitive internal application details such as the admin panel structure, AJAX endpoint URLs, conditional logic and permission checks, internal variable names, and email templates. This exposure allows attackers to understand the internal workings of the application, map its structure, identify AJAX endpoints for targeted attacks, analyze permission checks to attempt authorization bypasses, and study email templates to facilitate phishing attacks.
The vulnerability is fixed in Chamilo LMS version 1.11.38 by restricting direct HTTP access to these .tpl files.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive internal details of the Chamilo LMS application without requiring authentication. Attackers can gain insight into the admin panel structure, AJAX endpoints, and permission logic.
- Mapping internal application structure to plan further attacks.
- Identifying AJAX endpoints to target with malicious requests.
- Understanding permission checks to attempt authorization bypasses.
- Analyzing variable usage for parameter tampering.
- Studying email templates to craft phishing attacks.
Overall, this leads to a moderate confidentiality impact, potentially aiding attackers in planning more sophisticated attacks against the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the Twig template files (.tpl) located under the /main/template/default/ directory via HTTP GET requests without authentication.
If these files are accessible and return content, it indicates the vulnerability is present.
- Use curl or wget to request a known .tpl file, for example: curl -i http://your-chamilo-domain/main/template/default/admin/settings_index.tpl
- Check the HTTP response code and content for exposure of internal application details such as Twig syntax, variable names, or admin panel structure.
- Alternatively, use a web vulnerability scanner to detect publicly accessible .tpl files under the /main/template/default/ path.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, restrict direct HTTP access to .tpl files in the /main/template/ directory.
For Apache servers, add or ensure the presence of a .htaccess file in the /main/template/ directory with the following directive to deny access:
- <FilesMatch "\.tpl$"> Require all denied </FilesMatch>
If .htaccess overrides are not supported, add this configuration to your Apache VirtualHost definition (replace /var/www/URL with your Chamilo root path):
- <Directory /var/www/URL/main/template> <FilesMatch "\.tpl$"> Require all denied </FilesMatch> </Directory>
For Nginx servers, add a location block near the top of your server configuration to deny access to .tpl files and return a 403 Forbidden response:
- location ~* \.tpl$ { deny all; return 403; }
Additionally, upgrade Chamilo LMS to version 1.11.38 or later where this vulnerability is fixed.