Executive Summary

CVE-2026-33736 is a security vulnerability in Chamilo LMS that allows any authenticated user, including students, to enumerate all users on the platform and access their personal information such as email addresses, phone numbers, and roles via the GET /api/users API endpoint.

The vulnerability exists because the API's user collection endpoint requires only basic user permissions, enabling unauthorized access to sensitive user data, including administrator accounts.

This issue is classified as an Insecure Direct Object Reference (IDOR) vulnerability, where the authorization mechanism fails to restrict access properly based on user roles.

The vulnerability was fixed in Chamilo LMS version 2.0.0-RC.3 by implementing role-based access control and field-level filtering to restrict unprivileged users to only see limited user information and only users they have a direct relationship with.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user, including students, to enumerate all platform users and access their personal information such as email addresses, phone numbers, and roles, including administrator accounts.

This unauthorized exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the exposure of sensitive user data without proper authorization violates principles of data confidentiality and access control mandated by these standards.

The vulnerability increases the risk of privacy breaches and targeted attacks, which can result in regulatory penalties and damage to organizational reputation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive personal information of all users on the platform, including email addresses, phone numbers, and user roles.

Exposure of administrator account details can facilitate targeted attacks such as phishing or social engineering against privileged users.

Since the vulnerability allows low-privileged users to access data they should not see, it compromises user privacy and platform security.

The vulnerability has a CVSS v3 base score of 6.5, indicating a moderate severity with a network attack vector and low attack complexity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the GET /api/users endpoint as an authenticated user with low privileges (e.g., ROLE_STUDENT) and checking if the response includes personal information of all platform users, including administrators.

A practical detection method is to perform an authenticated HTTP GET request to the /api/users endpoint and observe if sensitive fields such as email, phone, and roles are returned for all users.

• Use curl or similar tools to send an authenticated request: curl -H "Authorization: Bearer <token>" https://<chamilo-lms-domain>/api/users
• Check if the response contains sensitive user data beyond the limited public fields (id, username, firstname, lastname, illustrationUrl).

If sensitive data is accessible to unprivileged users, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where this vulnerability is fixed.

The fix restricts access to the /api/users endpoint by implementing role-based access control and field-level filtering, ensuring unprivileged users cannot enumerate all users or access sensitive information.

• Upgrade Chamilo LMS to version 2.0.0-RC.3 or newer.
• If immediate upgrade is not possible, consider restricting access to the /api/users endpoint at the network or application firewall level to prevent unprivileged users from accessing it.
• Review and tighten user roles and permissions to limit exposure.

Useful 0 Not Useful 0