Insecure Direct Object Reference in Chamilo LMS Vulnerability
CVE-2026-33703

7.1HIGH

Key Information:

Vendor: Chamilo
Status: Chamilo-lms
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-33703?

Chamilo LMS, a widely-used learning management system, contains a vulnerability that allows authenticated users to exploit the /social-network/personal-data/{userId} endpoint. By altering the userId parameter, users can access sensitive personal data and API tokens belonging to other users, resulting in a significant risk of data exposure and potential breaches. Specifically, this flaw can lead to unauthorized access to sensitive information across the platform. This issue has been resolved in version 2.0.0-RC.3, and users are advised to upgrade to this version or later to mitigate risks.

Affected Version(s)

chamilo-lms < 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33703 Data

JSON