CVE-2026-33707
Predictable Password Reset Token Vulnerability in Chamilo LMS
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a complete account takeover for any user whose email address is known or discovered by an attacker.
An attacker can generate a valid password reset token without authentication, reset the victim's password, and gain unauthorized access to their account.
This compromises confidentiality, integrity, and availability of user accounts, potentially exposing sensitive information and disrupting service.
Can you explain this vulnerability to me?
This vulnerability exists in the Chamilo LMS password reset mechanism prior to versions 1.11.38 and 2.0.0-RC.3. The system generated password reset tokens by simply applying a SHA-1 hash to the user's email address, which is predictable and contains no random component.
Because the token is deterministic, has no expiration, and there is no rate limiting, an attacker who knows a user's email can compute the reset token, craft a reset URL, and reset the victim's password without any authentication or user interaction.
The vulnerability allows unauthorized password resets leading to complete account takeover.
The fix replaces this weak token generation with a cryptographically secure, random, time-limited token system that uses secure token generation, token expiration (one hour), timing-safe comparisons, and token invalidation after use.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Chamilo LMS instance is using the insecure password reset mechanism that generates tokens as sha1(email) without randomness, expiration, or rate limiting.
To detect this on your system, you can:
- Inspect the Chamilo LMS version; versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable.
- Check the password reset URL format in use. If reset URLs look like `lostPassword.php?reset={SHA1_OF_EMAIL}&id={USER_ID}`, it indicates the vulnerable mechanism.
- Review the source code or configuration for the presence of the function `get_secret_word($email)` generating tokens as sha1(email).
Suggested commands to detect the vulnerability might include:
- Use curl or wget to request a password reset URL with a known email and observe if the reset token is a SHA-1 hash of the email.
- Search the codebase for the function `get_secret_word` or for usage of `sha1($email)` in password reset logic, e.g., `grep -r 'sha1' /path/to/chamilo`.
- Check the Chamilo LMS version via the admin interface or by inspecting version files to confirm if it is older than 1.11.38 or 2.0.0-RC.3.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0-RC.3 or later, where the vulnerability is fixed.
- Ensure the password reset mechanism uses cryptographically secure, random tokens with expiration and rate limiting, as implemented in the patched versions.
- Disable or restrict the vulnerable password reset functionality if upgrading immediately is not possible.
- Monitor password reset requests and implement rate limiting to reduce the risk of automated attacks.
- Review and update any custom integrations or scripts that rely on the old reset token mechanism to use the new secure token system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Chamilo LMS allows an attacker who knows a user's email to compute the password reset token and change the victim's password without authentication. This results in unauthorized access to user accounts, leading to potential breaches of confidentiality and integrity of personal data.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and user privacy, secure authentication mechanisms, and prevention of unauthorized access.
The vulnerability violates principles of secure password recovery mechanisms by using predictable, non-expiring tokens without rate limiting, increasing the risk of account takeover and data exposure.
The fix implemented in versions 1.11.38 and 2.0.0-RC.3 improves compliance by introducing cryptographically secure, random, time-limited tokens with secure validation, reducing the risk of unauthorized access and helping to meet security requirements of these regulations.