Password Reset Vulnerability in Chamilo LMS Affects User Authentication
CVE-2026-33707

9.4CRITICAL

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-33707?

Chamilo LMS has a security flaw in its default password reset mechanism that allows potential attackers to exploit user accounts easily. The vulnerability exists because tokens generated for password resets are created using a predictable method (sha1 of the user's email) without incorporating randomness, expiration, or rate limiting. As a result, an attacker with knowledge of a user's email could craft a valid reset token, enabling them to change the user's password without any authentication. To mitigate this risk, users are advised to upgrade to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3 where this issue has been addressed.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/078d7e5b776...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/750a45312a0...
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.