CVE-2026-33703

MEDIUM

Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens

Title source: cna

Description

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3.

References (1)

[X_Refsource_Confirm] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

chamilo/chamilo-lms < 2.0.0-RC.3

chamilo/chamilo_lms 2.0.0 alpha1 (10 CPE variants)

Published Apr 10, 2026

Tracked Since Apr 11, 2026