Platform
php
Component
chamilo-lms
Fixed in
1.11.39
CVE-2026-33706 describes a privilege escalation vulnerability within Chamilo LMS, a popular learning management system. An authenticated user with a REST API key can exploit this flaw to modify their user status, potentially elevating their privileges to those of a Teacher or Course Manager. This vulnerability impacts versions 1.11.0 through 1.11.37 and has been resolved in version 1.11.38.
The primary impact of CVE-2026-33706 is the unauthorized elevation of user privileges. An attacker, already authenticated within the Chamilo LMS, can leverage the REST API to change their user status from a standard student (status=5) to a Teacher or Course Manager (status=1). This grants them the ability to create, modify, and delete courses, manage users, and potentially access sensitive data within the learning environment. The blast radius extends to all courses and users managed by the compromised account, potentially disrupting learning activities and compromising data integrity. While not directly leading to system compromise, the ability to control course content and user access represents a significant security risk.
CVE-2026-33706 was published on 2026-04-10. Its severity is rated HIGH with a CVSS score of 7.1. Currently, there are no publicly known active campaigns exploiting this vulnerability. No entries on KEV or EPSS scores are available at this time. Review the official Chamilo LMS advisory for further details and potential impact assessments.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The definitive mitigation for CVE-2026-33706 is to upgrade Chamilo LMS to version 1.11.38 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting access to the updateuserfrom_username endpoint via a web application firewall (WAF) or proxy server can help prevent unauthorized status modifications. Review and audit existing REST API key permissions to ensure they adhere to the principle of least privilege. Regularly monitor user activity logs for suspicious changes to user statuses. After upgrading to 1.11.38, verify the fix by attempting to modify a user's status via the REST API with a standard user account; the request should be rejected.
Update Chamilo LMS to version 1.11.38 or later to mitigate the privilege escalation vulnerability. The update corrects the way user status is updated through the REST API, preventing students from self-promoting to teacher or course administrator roles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33706 is a security vulnerability in Chamilo LMS versions 1.11.0 to 1.11.37 that allows authenticated users to escalate their privileges to Teacher/Course Manager, potentially gaining control over courses and users.
You are affected if you are running Chamilo LMS version 1.11.0 through 1.11.37. Upgrade to version 1.11.38 to resolve the vulnerability.
The recommended fix is to upgrade Chamilo LMS to version 1.11.38. As a temporary workaround, restrict access to the updateuserfrom_username endpoint using a WAF or proxy.
Currently, there are no publicly known active campaigns exploiting CVE-2026-33706, but it's crucial to apply the fix proactively.
Refer to the official Chamilo LMS security advisory for detailed information and updates regarding CVE-2026-33706.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.