Platform
php
Component
chamilo-lms
Fixed in
1.11.39
2.0.1
CVE-2026-33710 is a high-severity vulnerability affecting Chamilo LMS versions 1.11.0 and later, up to but excluding version 2.0.0-RC.3. The vulnerability stems from a flawed API key generation mechanism, enabling attackers to potentially brute-force keys. This poses a significant risk to the confidentiality and integrity of learning management system data. Affected users should immediately upgrade to version 1.11.38 or 2.0.0-RC.3.
The core of this vulnerability lies in the predictable generation of API keys within Chamilo LMS. The keys are derived from a formula incorporating the current timestamp, a user ID, and a fixed random number (always 10000). This predictability means an attacker who can obtain a user's ID and has a reasonable estimate of when the key was generated can systematically try different key combinations until they find the correct one. Successful brute-forcing grants an attacker unauthorized access to the LMS, potentially allowing them to modify course content, access student data, or perform other administrative actions. The blast radius extends to all data managed within the LMS, including sensitive student information and intellectual property.
As of the public disclosure date (2026-04-10), this vulnerability is not listed on CISA KEV. The EPSS score is likely to be medium, given the relatively straightforward nature of the attack (brute-forcing) and the potential impact (full LMS access). Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests that it could be easily exploited. Active campaigns are not currently known.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33710 is to upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3, which includes a fix for the flawed API key generation algorithm. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting API key access based on IP address or user role can limit the potential impact of a compromised key. Regularly rotating API keys, even with the vulnerable generation method, can reduce the window of opportunity for an attacker. Monitor API access logs for unusual activity or failed authentication attempts. After upgrading, verify the integrity of the installation and confirm that API keys are being generated using the updated, more secure method by examining the source code or configuration files.
Update Chamilo LMS to version 1.11.38 or later, or to version 2.0.0-RC.3 or later. These versions implement a more secure REST API key generation, mitigating the risk of brute-force attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33710 is a high-severity vulnerability in Chamilo LMS where API keys are generated using a predictable formula, allowing attackers to brute-force them and gain unauthorized access.
You are affected if you are using Chamilo LMS versions 1.11.0 through <2.0.0-RC.3. Versions 1.11.38 and 2.0.0-RC.3 are not affected.
Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3. Consider temporary workarounds like IP restriction or key rotation if an immediate upgrade is not possible.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it susceptible to attack.
Refer to the official Chamilo LMS security advisories on their website for detailed information and updates regarding CVE-2026-33710.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.