CVE-2026-33710
Received Received - Intake
Predictable API Key Generation in Chamilo LMS Enables Brute Force

Publication date: 2026-04-10

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33710
EUVD
EUVD-2026-21565
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (exc)
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to brute-force API keys due to weak and predictable key generation. This can lead to unauthorized access to user accounts and potentially expose personally identifiable information (PII).

Such unauthorized access and exposure of PII can result in non-compliance with data protection regulations like GDPR and HIPAA, which require adequate protection of personal data and secure authentication mechanisms.

Therefore, this vulnerability poses a risk to compliance with these standards by undermining confidentiality protections and enabling potential data breaches.

Executive Summary

CVE-2026-33710 is a security vulnerability in Chamilo LMS related to weak and predictable REST API key generation.

The original API keys were generated using an MD5 hash of a value derived from the current time, the user ID multiplied by 5, and a random integer between -10000 and 10000. However, the random function call always returned 10000 because the minimum and maximum values were the same, making the key generation formula effectively deterministic.

This predictability allows an attacker who knows a username and approximate key creation time to brute-force the API key.

The vulnerability was fixed by replacing the weak key generation method with a cryptographically secure one using PHP's random_bytes function to generate a secure random API key.

Impact Analysis

This vulnerability allows an attacker to brute-force any user's API key without knowing their password if they know the username and approximate time the key was created.

Because the keyspace is limited (e.g., 86,400 possibilities for a 24-hour window), brute-force attacks are feasible with low attack complexity.

Once the API key is compromised, it can be used as part of a larger unauthenticated attack chain to escalate privileges, retrieve sensitive information like email addresses, reset passwords, and take over user accounts.

The vulnerability has a high severity rating with a CVSS v3 base score of 7.5, indicating a significant confidentiality impact but no impact on integrity or availability.

Detection Guidance

This vulnerability involves weak and predictable REST API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. Detection involves identifying API keys generated using the insecure formula md5(time() + (user_id * 5) - 10000), which are predictable if the username and approximate key creation time are known.

To detect vulnerable API keys on your system, you can attempt to brute-force API keys by reproducing the key generation formula for known users and approximate timestamps. This can be scripted by iterating over possible timestamps within a suspected key creation window and computing the MD5 hash as per the vulnerable formula.

Example command (in a scripting language like Python or Bash) to generate possible API keys for a user_id and timestamp range could be:

  • For each second in the suspected time window, compute md5(timestamp + user_id * 5 - 10000) and compare with observed API keys.
  • Use network monitoring tools to capture API key usage and compare keys against the generated list of predictable keys.

No specific commands are provided in the resources, but the detection approach relies on reproducing the weak key generation logic and comparing against observed API keys.

Mitigation Strategies

The primary mitigation step is to upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0-RC.3 or later, where the vulnerability is fixed.

The fix replaces the weak API key generation method with a cryptographically secure approach using PHP's random_bytes function to generate strong, unpredictable API keys.

Additionally, you should invalidate and regenerate all existing API keys that were generated using the vulnerable method to prevent unauthorized access.

Monitor API key usage for suspicious activity, especially brute-force attempts, and consider implementing rate limiting or additional authentication controls on the REST API.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33710. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart