anonhaven
Ad

CVE-2026-40291

HIGH CVSS 3.1: 8.8
Updated Apr 17, 2026
Chamilo
Parameter Value
CVSS 8.8 (HIGH)
Affected Versions before 2.0.0
Fixed In 2.0.0
Type CWE-863 (Incorrect Authorization), CWE-269 (Improper Privilege Management)
Vendor Chamilo
Public PoC No

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN.

Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-863 Incorrect Authorization
CWE-269 Improper Privilege Management

References 2

https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3
security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x
security-advisories@github.com
Share Post Share Share Share