Session Fixation Vulnerability in Chamilo LMS Learning Management System
CVE-2026-31940

7.5HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-31940?

Chamilo LMS, a widely-used learning management system, is susceptible to a session fixation vulnerability due to unvalidated user-controlled request parameters being used to set the PHP session ID. This issue, occurring in the file main/lp/aicc_hacp.php, can potentially allow an attacker to hijack user sessions. Users are advised to upgrade to Chamilo LMS version 1.11.38 or 2.0.0-RC.3, where this vulnerability has been addressed and resolved.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/ce0192c62e4...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.