Executive Summary

CVE-2026-33708 is a security vulnerability in the Chamilo LMS REST API, specifically in the get_user_info_from_username endpoint. Before the fix in version 1.11.38, this endpoint returned personal information such as email, first name, last name, user ID, username, and active status of any user to any authenticated user without performing any authorization checks.

This means that any authenticated user, including students, could access sensitive personal data of other users because the system did not verify if the requester had the right privileges to access this information.

The vulnerability was caused by missing authorization checks, allowing unauthorized access to personally identifiable information (PII). The fix introduced an access control check to ensure only platform administrators can retrieve user information via this API.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Exposure of personally identifiable information (PII) such as emails, names, user IDs, and active status to any authenticated user.
• Enables attackers to perform targeted phishing and social engineering attacks using harvested user data.
• Allows enumeration of the entire user directory by iterating over common usernames.
• Verified attack chains include:
• - Unauthenticated admin account takeover by brute-forcing an API key, retrieving admin email via this endpoint, and resetting the admin password.
• - Student privilege escalation by exploiting another vulnerable endpoint to gain teacher privileges.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the `get_user_info_from_username` REST API endpoint as a non-admin authenticated user and checking if personal information is returned without authorization.

A practical detection method is to send an authenticated API request to the endpoint and observe the response. If the response includes personal user information such as email, first name, last name, user ID, or active status without admin privileges, the system is vulnerable.

• Use a command-line tool like curl to test the endpoint with a non-admin user's credentials:
• curl -X GET -H "Authorization: Bearer <non-admin-user-token>" "https://<your-chamilo-domain>/main/webservices/api/v2.php?action=get_user_info_from_username&username=<target-username>"

If the response returns detailed user information without an authorization error, the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.38 or later, where this vulnerability is fixed.

The fix restricts access to the `get_user_info_from_username` REST API endpoint so that only platform administrators can retrieve user information, preventing unauthorized access by non-admin users.

If upgrading immediately is not possible, consider restricting access to the vulnerable API endpoint by network controls or disabling the REST API temporarily to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Chamilo LMS allows any authenticated user, including students, to access personal information such as email, first name, last name, user ID, username, and active status of any user without authorization checks.

This exposure of personally identifiable information (PII) can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal data and mandate that only authorized personnel can access such information.

By failing to enforce authorization on the REST API endpoint, the system risks non-compliance with these standards, potentially resulting in unauthorized data disclosure, increased risk of phishing and social engineering attacks, and legal consequences for mishandling sensitive user data.

Useful 0 Not Useful 0