CVE-2026-33707
Received Received - Intake
Predictable Password Reset Token Vulnerability in Chamilo LMS

Publication date: 2026-04-10

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33707
EUVD
EUVD-2026-21561
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (exc)
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a complete account takeover for any user whose email address is known or discovered by an attacker.

An attacker can generate a valid password reset token without authentication, reset the victim's password, and gain unauthorized access to their account.

This compromises confidentiality, integrity, and availability of user accounts, potentially exposing sensitive information and disrupting service.

Executive Summary

This vulnerability exists in the Chamilo LMS password reset mechanism prior to versions 1.11.38 and 2.0.0-RC.3. The system generated password reset tokens by simply applying a SHA-1 hash to the user's email address, which is predictable and contains no random component.

Because the token is deterministic, has no expiration, and there is no rate limiting, an attacker who knows a user's email can compute the reset token, craft a reset URL, and reset the victim's password without any authentication or user interaction.

The vulnerability allows unauthorized password resets leading to complete account takeover.

The fix replaces this weak token generation with a cryptographically secure, random, time-limited token system that uses secure token generation, token expiration (one hour), timing-safe comparisons, and token invalidation after use.

Detection Guidance

This vulnerability can be detected by checking if the Chamilo LMS instance is using the insecure password reset mechanism that generates tokens as sha1(email) without randomness, expiration, or rate limiting.

To detect this on your system, you can:

  • Inspect the Chamilo LMS version; versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable.
  • Check the password reset URL format in use. If reset URLs look like `lostPassword.php?reset={SHA1_OF_EMAIL}&id={USER_ID}`, it indicates the vulnerable mechanism.
  • Review the source code or configuration for the presence of the function `get_secret_word($email)` generating tokens as sha1(email).

Suggested commands to detect the vulnerability might include:

  • Use curl or wget to request a password reset URL with a known email and observe if the reset token is a SHA-1 hash of the email.
  • Search the codebase for the function `get_secret_word` or for usage of `sha1($email)` in password reset logic, e.g., `grep -r 'sha1' /path/to/chamilo`.
  • Check the Chamilo LMS version via the admin interface or by inspecting version files to confirm if it is older than 1.11.38 or 2.0.0-RC.3.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0-RC.3 or later, where the vulnerability is fixed.
  • Ensure the password reset mechanism uses cryptographically secure, random tokens with expiration and rate limiting, as implemented in the patched versions.
  • Disable or restrict the vulnerable password reset functionality if upgrading immediately is not possible.
  • Monitor password reset requests and implement rate limiting to reduce the risk of automated attacks.
  • Review and update any custom integrations or scripts that rely on the old reset token mechanism to use the new secure token system.
Compliance Impact

The vulnerability in Chamilo LMS allows an attacker who knows a user's email to compute the password reset token and change the victim's password without authentication. This results in unauthorized access to user accounts, leading to potential breaches of confidentiality and integrity of personal data.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and user privacy, secure authentication mechanisms, and prevention of unauthorized access.

The vulnerability violates principles of secure password recovery mechanisms by using predictable, non-expiring tokens without rate limiting, increasing the risk of account takeover and data exposure.

The fix implemented in versions 1.11.38 and 2.0.0-RC.3 improves compliance by introducing cryptographically secure, random, time-limited tokens with secure validation, reducing the risk of unauthorized access and helping to meet security requirements of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart