Vulnerability in Chamilo LMS REST API Key Generation
CVE-2026-33710

7.5HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-33710?

Chamilo LMS, a widely used learning management system, contains a vulnerability related to its REST API key generation mechanism. The affected versions, prior to 1.11.38 and 2.0.0-RC.3, utilize a flawed formula that ultimately leads to predictable API keys. The method relies on a static random value, enabling attackers who are aware of a username and the approximate time of key creation to execute brute-force attacks. This vulnerability can compromise the security of user accounts and sensitive data, highlighting the importance of updating to the latest version to safeguard against potential threats.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/4448701bb8e...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/e7400dd8405...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.