CVE-2026-40291
Received Received - Intake
Insecure Direct Object Modification in Chamilo LMS Enables Admin Escalation

Publication date: 2026-04-14

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40291
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user with a student role to escalate their privileges to an administrator role, granting full administrative control over the platform.

Such unauthorized access can lead to exposure and unauthorized modification of sensitive user data, including courses, user information, and grades.

This level of unauthorized access and potential data breach could result in non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data.

Detection Guidance

This vulnerability can be detected by monitoring or testing the PUT /api/users/{id} endpoint for unauthorized role modifications by authenticated users with the ROLE_STUDENT privilege.

Specifically, you can attempt to send a PUT request to the endpoint with your own user ID and modify the roles field to include ROLE_ADMIN. If the system accepts this change, it is vulnerable.

A sample command using curl to test this could be:

  • curl -X PUT -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"roles": ["ROLE_ADMIN"]}' https://<chamilo-lms-domain>/api/users/<your-user-id>

Replace <token> with a valid authentication token for a user with ROLE_STUDENT and <your-user-id> with that user's ID.

If the response indicates success and the roles have been updated, the system is vulnerable.

Executive Summary

This vulnerability exists in Chamilo LMS versions prior to 2.0.0-RC.3. It is an insecure direct object modification issue in the PUT /api/users/{id} endpoint. Any authenticated user with the ROLE_STUDENT can exploit this vulnerability to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record.

The API Platform security only verifies record ownership but does not restrict changes to the roles field, which is writable. This allows users to assign themselves arbitrary roles, including administrative roles.

Successful exploitation grants full administrative control over the platform.

Impact Analysis

Exploiting this vulnerability allows a user with student-level access to gain full administrative privileges on the Chamilo LMS platform.

  • Access to all courses
  • Access to all user data
  • Access to grades
  • Access to administrative settings

This can lead to unauthorized data exposure, modification, and control over the learning management system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.

Until the upgrade can be performed, restrict or monitor authenticated users with the ROLE_STUDENT permission from accessing or modifying the roles field via the PUT /api/users/{id} endpoint to prevent privilege escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart