Insecure Direct Object Reference in Chamilo LMS Gradebook Allows Unauthorized Grade Deletion
CVE-2026-32894

7.1HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-32894?

Chamilo LMS, a popular learning management system, contains a significant vulnerability that allows authenticated teachers to delete any student's grades without proper verification. This vulnerability stems from the system's failure to enforce ownership and course-scope checks when processing requests to delete grade results. By manipulating specific GET parameters, attackers could exploit this flaw to alter student records indiscriminately. The issue has been addressed in the latest versions, 1.11.38 and 2.0.0-RC.3, which incorporate essential security measures to prevent such unauthorized access.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/740f5a6e192...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.