Open Redirect Vulnerability in Chamilo LMS Affects Administrators
CVE-2026-32932

4.7MEDIUM

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-32932?

Chamilo LMS, a popular learning management system, has an Open Redirect vulnerability that affects authenticated administrators. This security flaw allows attackers to redirect admins to malicious external URLs upon saving changes to coach assignments, facilitating potential session hijacking and data leaks. The id_session parameter can also be unintentionally shared with the attacker's server, posing further risks to user data integrity. Update to versions 1.11.38 or 2.0.0-RC.3 to mitigate this vulnerability.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.