CVE-2026-34602

EPSS 0.03%
Veröffentlicht 14.04.2026 21:29:06
Zuletzt bearbeitet 17.04.2026 15:38:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version  2.0.0-RC.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerchamilo

≫

Produkt chamilo-lms

Version < 2.0.0-RC.3

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.08

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x373-8j9j-g5pj

https://github.com/chamilo/chamilo-lms/commit/2a9f060fa9d50fc9a92ed93af774d2619642df92

https://github.com/chamilo/chamilo-lms/commit/bd2ba34c2e74475587e38c74c90c2934e69c8779

https://github.com/chamilo/chamilo-lms/commit/c9c30cdc48afae57cd6ab012ae2eceafd351a40e

https://nvd.nist.gov/vuln/detail/CVE-2026-34602

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34602

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34602

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34602