CVE-2026-34602
Received Received - Intake
IDOR Vulnerability in Chamilo LMS Allows Unauthorized Course Enrollment

Publication date: 2026-04-14

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34602
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Chamilo LMS versions prior to 2.0.0-RC.3 in the /api/course_rel_users endpoint. It is an Insecure Direct Object Reference (IDOR) issue that allows an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks.

The backend trusts the user-supplied input for the user field and does not verify on the server side whether the requester owns the referenced user ID or has permission to act on behalf of other users. This lack of verification enables unauthorized manipulation of user-course relationships.

As a result, an attacker can grant unintended access to course materials, bypass enrollment controls, and compromise the integrity of the platform.

Impact Analysis

This vulnerability can impact you by allowing an attacker to enroll any user into any course without authorization. This unauthorized enrollment can lead to unintended access to course materials.

Such unauthorized access can compromise the integrity of the learning platform, potentially exposing sensitive educational content or user data.

It may also undermine trust in the platform's enrollment controls and user management processes.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.

Until the upgrade is applied, restrict access to the /api/course_rel_users endpoint to only trusted and authorized users to reduce the risk of exploitation.

Compliance Impact

The vulnerability allows unauthorized users to enroll arbitrary users into courses without proper authorization, potentially granting unintended access to course materials and compromising platform integrity.

Such unauthorized access and manipulation of user data could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and protection of personal information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart