Insecure Direct Object Reference in Chamilo LMS Affects User Progress Management
CVE-2026-33702

7.1HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-33702?

Chamilo LMS, a widely-used learning management system, prior to versions 1.11.38 and 2.0.0-RC.3, features an IDOR vulnerability in its Learning Path progress saving mechanism. This flaw allows authenticated users to manipulate another user's Learning Path progress by altering the uid (user ID) parameter in the request to lp_ajax_save_item.php. The vulnerability arises from the lack of proper validation of user permissions, enabling unauthorized modification of scores, completion statuses, and progress timestamps. Users enrolled in a course can exploit this vulnerability to overwrite peers’ progress data. The issue was addressed in recent updates, making it crucial for all users to upgrade to the patched versions to ensure system integrity.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/6331d051b44...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.