CVE-2026-33736
Insecure Direct Object Reference in Chamilo LMS User API
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33736 is a security vulnerability in Chamilo LMS that allows any authenticated user, including students, to enumerate all users on the platform and access their personal information such as email addresses, phone numbers, and roles via the GET /api/users API endpoint.
The vulnerability exists because the API's user collection endpoint requires only basic user permissions, enabling unauthorized access to sensitive user data, including administrator accounts.
This issue is classified as an Insecure Direct Object Reference (IDOR) vulnerability, where the authorization mechanism fails to restrict access properly based on user roles.
The vulnerability was fixed in Chamilo LMS version 2.0.0-RC.3 by implementing role-based access control and field-level filtering to restrict unprivileged users to only see limited user information and only users they have a direct relationship with.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user, including students, to enumerate all platform users and access their personal information such as email addresses, phone numbers, and roles, including administrator accounts.
This unauthorized exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Specifically, the exposure of sensitive user data without proper authorization violates principles of data confidentiality and access control mandated by these standards.
The vulnerability increases the risk of privacy breaches and targeted attacks, which can result in regulatory penalties and damage to organizational reputation.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive personal information of all users on the platform, including email addresses, phone numbers, and user roles.
Exposure of administrator account details can facilitate targeted attacks such as phishing or social engineering against privileged users.
Since the vulnerability allows low-privileged users to access data they should not see, it compromises user privacy and platform security.
The vulnerability has a CVSS v3 base score of 6.5, indicating a moderate severity with a network attack vector and low attack complexity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the GET /api/users endpoint as an authenticated user with low privileges (e.g., ROLE_STUDENT) and checking if the response includes personal information of all platform users, including administrators.
A practical detection method is to perform an authenticated HTTP GET request to the /api/users endpoint and observe if sensitive fields such as email, phone, and roles are returned for all users.
- Use curl or similar tools to send an authenticated request: curl -H "Authorization: Bearer <token>" https://<chamilo-lms-domain>/api/users
- Check if the response contains sensitive user data beyond the limited public fields (id, username, firstname, lastname, illustrationUrl).
If sensitive data is accessible to unprivileged users, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where this vulnerability is fixed.
The fix restricts access to the /api/users endpoint by implementing role-based access control and field-level filtering, ensuring unprivileged users cannot enumerate all users or access sensitive information.
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or newer.
- If immediate upgrade is not possible, consider restricting access to the /api/users endpoint at the network or application firewall level to prevent unprivileged users from accessing it.
- Review and tighten user roles and permissions to limit exposure.