CVE-2026-33715
Unauthenticated SSRF and Open Relay in Chamilo LMS Ajax Endpoint
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Chamilo LMS version 2.0-RC.2 where the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances.
Unlike other AJAX endpoints, this file does not include the global.inc.php file that performs authentication and installation-completed checks.
Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server.
This enables Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol.
An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address.
Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services.
This issue was fixed in version 2.0.0-RC.3.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated attacker to perform Server-Side Request Forgery (SSRF) attacks into your internal network via the SMTP protocol.
Attackers can use your Chamilo server as an open email relay to send phishing and spam emails that appear to originate from your server's IP address.
This can lead to reputational damage, blacklisting of your server's IP, and potential legal consequences.
Furthermore, error messages from failed SMTP connections may reveal sensitive information about your internal network topology and running services, increasing the risk of further attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the vulnerable endpoint public/main/inc/ajax/install.ajax.php is accessible without authentication on your Chamilo LMS instance version 2.0-RC.2 or earlier.
You can attempt to send a POST request to this endpoint with the test_mailer action and an arbitrary Symfony Mailer DSN string to see if the server connects to the specified SMTP server, indicating the vulnerability.
For example, you can use curl commands to test accessibility and behavior:
- Check if the endpoint is accessible without authentication: curl -i -X POST https://your-chamilo-instance/public/main/inc/ajax/install.ajax.php -d 'action=test_mailer&dsn=smtp://example.com'
- Observe the response for signs of SMTP connection attempts or error messages that may reveal internal network information.
If the endpoint is accessible and responds to such requests, your system is likely vulnerable.