Insecure Direct Object Reference in Chamilo LMS Versions Prior to 2.0.0-RC.3
CVE-2026-34602

7.1HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
14 April 2026

What is CVE-2026-34602?

Chamilo LMS, an open-source learning management system, suffers from an Insecure Direct Object Reference (IDOR) vulnerability within the /api/course_rel_users endpoint. This flaw permits authenticated attackers to manipulate the user parameter in the request body, allowing them to enroll any arbitrary user into any course without proper authorization checks. The backend presently assumes the user-supplied input is trustworthy and lacks server-side verification to confirm the requester's ownership of the referenced user ID or their permissions. This vulnerability can lead to unauthorized modifications of user-course relationships, granting unintended access to course materials and undermining the integrity of the learning platform. The issue has been resolved in version 2.0.0-RC.3.

Affected Version(s)

chamilo-lms < 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/2a9f060fa9d...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/bd2ba34c2e7...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.