CVE-2026-34370
Received Received - Intake
IDOR Vulnerability in Chamilo LMS Notebook Module Exposes Notes

Publication date: 2026-04-14

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The application fetches the note content using only the supplied integer ID without verifying that the requesting user owns the note, and the full title and HTML body are rendered in the edit form and returned to the attacker's browser. While ownership checks exist in the write paths (updateNote() and delete_note()), they are entirely absent from the read path (get_note_information()). This issue has been fixed in version 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34370
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows any authenticated student to read private course notes of other users without authorization, which constitutes unauthorized access to personal data.

Such unauthorized disclosure of private information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Specifically, the lack of ownership verification in the read path of the notebook module means that confidentiality of user data is compromised, potentially violating principles of data minimization and access control mandated by these standards.

Executive Summary

The vulnerability in Chamilo LMS versions prior to 2.0.0-RC.3 is an Insecure Direct Object Reference (IDOR) in the notebook module. It allows any authenticated student to read private course notes of other users by manipulating the notebook_id parameter in the editnote action. The system fetches note content based solely on the provided integer ID without verifying ownership, exposing the full title and HTML body of notes to unauthorized users.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private course notes between users. An attacker who is an authenticated student can access sensitive information belonging to other users, potentially compromising privacy and confidentiality within the learning platform.

Mitigation Strategies

To mitigate this vulnerability, upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.

Until the upgrade can be performed, restrict authenticated student access to the notebook module or monitor and control the manipulation of the notebook_id parameter in requests to prevent unauthorized access to other users' notes.

Detection Guidance

This vulnerability can be detected by testing whether an authenticated student user can access private course notes of other users by manipulating the notebook_id parameter in the editnote action.

A practical approach is to authenticate as a student and attempt to access notes by changing the notebook_id parameter in the URL or request payload to IDs that belong to other users.

For example, using curl to send a request with different notebook_id values and observing if the response contains note content that should not be accessible.

  • curl -b cookies.txt -c cookies.txt 'https://your-chamilo-instance/editnote?notebook_id=123'
  • Modify the notebook_id parameter to other values (e.g., 124, 125) to check if notes from other users are returned.

If notes belonging to other users are accessible without proper authorization errors, the vulnerability is present.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart