CVE-2026-34602
IDOR Vulnerability in Chamilo LMS Allows Unauthorized Course Enrollment
Publication date: 2026-04-14
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Chamilo LMS versions prior to 2.0.0-RC.3 in the /api/course_rel_users endpoint. It is an Insecure Direct Object Reference (IDOR) issue that allows an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks.
The backend trusts the user-supplied input for the user field and does not verify on the server side whether the requester owns the referenced user ID or has permission to act on behalf of other users. This lack of verification enables unauthorized manipulation of user-course relationships.
As a result, an attacker can grant unintended access to course materials, bypass enrollment controls, and compromise the integrity of the platform.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to enroll any user into any course without authorization. This unauthorized enrollment can lead to unintended access to course materials.
Such unauthorized access can compromise the integrity of the learning platform, potentially exposing sensitive educational content or user data.
It may also undermine trust in the platform's enrollment controls and user management processes.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.
Until the upgrade is applied, restrict access to the /api/course_rel_users endpoint to only trusted and authorized users to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to enroll arbitrary users into courses without proper authorization, potentially granting unintended access to course materials and compromising platform integrity.
Such unauthorized access and manipulation of user data could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and protection of personal information.
However, the provided information does not explicitly state the impact on compliance with these standards.