Platform
php
Component
chamilo-lms
Fixed in
1.11.39
2.0.1
CVE-2026-33707 affects Chamilo LMS, a learning management system, due to a flaw in its password reset mechanism. The vulnerability allows an attacker to compute reset tokens and potentially change a user's password without authentication, leading to unauthorized account access. This issue impacts versions 1.11.0 through 2.0.0-RC.3, excluding 1.11.38. A patch is available in version 1.11.38 and 2.0.0-RC.3.
CVE-2026-33707 in Chamilo LMS affects versions prior to 1.11.38 and 2.0.0-RC.3. The default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. The impact is significant, as it compromises user account security and the integrity of data stored within the LMS. The lack of randomness in the token makes it easily calculable, and the absence of expiration makes it susceptible to long-term attacks.
An attacker could exploit this vulnerability by gathering user email addresses from Chamilo LMS. They would then, using a script or tool, calculate the password reset token for each user. Once the token is obtained, the attacker could request a password reset for the user's account and, upon receiving the email with the link, modify the password. This process could be automated to affect a large number of users, compromising the overall security of the LMS. The lack of protection against brute-force attacks further exacerbates the situation.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
CVSS Vector
To mitigate this vulnerability, it is strongly recommended to update Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later. These versions include a fix that implements a more secure password reset token generation system, incorporating a random component, an expiration date, and rate limiting. Additionally, review and strengthen your organization's password security policies, including implementing multi-factor authentication (MFA) whenever possible. Monitoring system logs for suspicious activity related to password recovery is also a recommended practice.
Update Chamilo LMS to version 1.11.38 or later, or to version 2.0.0-RC.3 or later. These versions implement a more secure password reset token generation, including a random component, an expiration time, and rate limiting to mitigate the risk of unauthorized access.
Vulnerability analysis and critical alerts directly to your inbox.
It's a unique identifier for this specific vulnerability in Chamilo LMS.
Update immediately to version 1.11.38 or 2.0.0-RC.3 or later.
If you haven’t updated, there’s a possibility. Monitor your account and change your password immediately after updating.
SHA1 is a cryptographic hash algorithm. While widely used in the past, it’s now considered insecure due to known vulnerabilities allowing collision generation.
Use a strong, unique password, enable multi-factor authentication (if available), and keep your software updated.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.