CVE-2026-40291
Insecure Direct Object Modification in Chamilo LMS Enables Admin Escalation
Publication date: 2026-04-14
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with a student role to escalate their privileges to an administrator role, granting full administrative control over the platform.
Such unauthorized access can lead to exposure and unauthorized modification of sensitive user data, including courses, user information, and grades.
This level of unauthorized access and potential data breach could result in non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data.
Can you explain this vulnerability to me?
This vulnerability exists in Chamilo LMS versions prior to 2.0.0-RC.3. It is an insecure direct object modification issue in the PUT /api/users/{id} endpoint. Any authenticated user with the ROLE_STUDENT can exploit this vulnerability to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record.
The API Platform security only verifies record ownership but does not restrict changes to the roles field, which is writable. This allows users to assign themselves arbitrary roles, including administrative roles.
Successful exploitation grants full administrative control over the platform.
How can this vulnerability impact me? :
Exploiting this vulnerability allows a user with student-level access to gain full administrative privileges on the Chamilo LMS platform.
- Access to all courses
- Access to all user data
- Access to grades
- Access to administrative settings
This can lead to unauthorized data exposure, modification, and control over the learning management system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.
Until the upgrade can be performed, restrict or monitor authenticated users with the ROLE_STUDENT permission from accessing or modifying the roles field via the PUT /api/users/{id} endpoint to prevent privilege escalation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing the PUT /api/users/{id} endpoint for unauthorized role modifications by authenticated users with the ROLE_STUDENT privilege.
Specifically, you can attempt to send a PUT request to the endpoint with your own user ID and modify the roles field to include ROLE_ADMIN. If the system accepts this change, it is vulnerable.
A sample command using curl to test this could be:
- curl -X PUT -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"roles": ["ROLE_ADMIN"]}' https://<chamilo-lms-domain>/api/users/<your-user-id>
Replace <token> with a valid authentication token for a user with ROLE_STUDENT and <your-user-id> with that user's ID.
If the response indicates success and the roles have been updated, the system is vulnerable.