CVE-2026-33710
Predictable API Key Generation in Chamilo LMS Enables Brute Force
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to brute-force API keys due to weak and predictable key generation. This can lead to unauthorized access to user accounts and potentially expose personally identifiable information (PII).
Such unauthorized access and exposure of PII can result in non-compliance with data protection regulations like GDPR and HIPAA, which require adequate protection of personal data and secure authentication mechanisms.
Therefore, this vulnerability poses a risk to compliance with these standards by undermining confidentiality protections and enabling potential data breaches.
Can you explain this vulnerability to me?
CVE-2026-33710 is a security vulnerability in Chamilo LMS related to weak and predictable REST API key generation.
The original API keys were generated using an MD5 hash of a value derived from the current time, the user ID multiplied by 5, and a random integer between -10000 and 10000. However, the random function call always returned 10000 because the minimum and maximum values were the same, making the key generation formula effectively deterministic.
This predictability allows an attacker who knows a username and approximate key creation time to brute-force the API key.
The vulnerability was fixed by replacing the weak key generation method with a cryptographically secure one using PHP's random_bytes function to generate a secure random API key.
How can this vulnerability impact me? :
This vulnerability allows an attacker to brute-force any user's API key without knowing their password if they know the username and approximate time the key was created.
Because the keyspace is limited (e.g., 86,400 possibilities for a 24-hour window), brute-force attacks are feasible with low attack complexity.
Once the API key is compromised, it can be used as part of a larger unauthenticated attack chain to escalate privileges, retrieve sensitive information like email addresses, reset passwords, and take over user accounts.
The vulnerability has a high severity rating with a CVSS v3 base score of 7.5, indicating a significant confidentiality impact but no impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves weak and predictable REST API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. Detection involves identifying API keys generated using the insecure formula md5(time() + (user_id * 5) - 10000), which are predictable if the username and approximate key creation time are known.
To detect vulnerable API keys on your system, you can attempt to brute-force API keys by reproducing the key generation formula for known users and approximate timestamps. This can be scripted by iterating over possible timestamps within a suspected key creation window and computing the MD5 hash as per the vulnerable formula.
Example command (in a scripting language like Python or Bash) to generate possible API keys for a user_id and timestamp range could be:
- For each second in the suspected time window, compute md5(timestamp + user_id * 5 - 10000) and compare with observed API keys.
- Use network monitoring tools to capture API key usage and compare keys against the generated list of predictable keys.
No specific commands are provided in the resources, but the detection approach relies on reproducing the weak key generation logic and comparing against observed API keys.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0-RC.3 or later, where the vulnerability is fixed.
The fix replaces the weak API key generation method with a cryptographically secure approach using PHP's random_bytes function to generate strong, unpredictable API keys.
Additionally, you should invalidate and regenerate all existing API keys that were generated using the vulnerable method to prevent unauthorized access.
Monitor API key usage for suspicious activity, especially brute-force attempts, and consider implementing rate limiting or additional authentication controls on the REST API.