Insecure Direct Object Reference in Chamilo LMS Affects Teacher Evaluation Access
CVE-2026-32930

7.1HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-32930?

Chamilo LMS, a popular learning management system, has a vulnerability that allows authenticated teachers to access and modify course evaluation settings of other courses. This issue arises from an Insecure Direct Object Reference (IDOR) in the gradebook evaluation edit page, where manipulating the 'editeval' GET parameter can expose sensitive data. The issue has been addressed in the updates to versions 1.11.38 and 2.0.0-RC.3, highlighting the importance of keeping systems up-to-date to prevent unauthorized access.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d71...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/f03f681df93...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.