Insecure Direct Object Reference in Chamilo LMS Affects User Data Privacy
CVE-2026-33141

6.5MEDIUM

Key Information:

Vendor: Chamilo
Status: Chamilo-lms
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-33141?

The Chamilo LMS is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability found in the REST API stats endpoint, permitting any authenticated user—including those with low privileges such as ROLE_USER—to access personal information about other users. This includes sensitive data like learning progress, certificates, and gradebook scores for various courses, bypassing enrollment checks or any supervisory relationships. The issue has been addressed in the update version 2.0.0-RC.3 to enhance data security.

Affected Version(s)

chamilo-lms < 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...

x_refsource_CONFIRM

https://github.com/chamilo/chamilo-lms/commit/792ba059534...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33141 Data

JSON