Platform
php
Component
pens
Fixed in
2.0.0-RC.3
CVE-2026-34160 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the PENS Plugin of Chamilo LMS. This vulnerability allows an unauthenticated attacker to craft malicious requests through the package-url parameter, potentially exposing internal network services and sensitive data. The vulnerability impacts versions 1.0.0 through 2.0-RC.2, and a fix is available in version 2.0.0-RC.3.
The SSRF vulnerability in the Chamilo LMS PENS plugin poses a significant risk. Attackers can leverage this to probe internal network services, bypassing standard network segmentation. A particularly concerning attack vector involves accessing cloud metadata endpoints, such as 169.254.169.254, which can expose IAM credentials and other sensitive instance metadata. Successful exploitation could lead to unauthorized access to cloud resources, data breaches, and potentially complete compromise of the Chamilo LMS instance and connected systems. This vulnerability shares similarities with other SSRF exploits where attackers use the server as a proxy to access resources it shouldn't.
CVE-2026-34160 was published on 2026-04-14. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. There are no publicly known proof-of-concept exploits available at this time, but the SSRF nature of the vulnerability makes it likely that one will emerge. The vulnerability's ease of exploitation and potential impact warrant close monitoring.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34160 is to immediately upgrade Chamilo LMS to version 2.0.0-RC.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the PENS plugin endpoint (public/plugin/Pens/pens.php) using a Web Application Firewall (WAF) or proxy server to block requests to internal or sensitive IP addresses. Implement strict input validation on the package-url parameter to prevent malicious URLs. Monitor access logs for suspicious requests originating from the PENS plugin. After upgrading, confirm the fix by attempting to access an internal service through the package-url parameter; the request should be blocked.
Update the PENS plugin to version 2.0.0-RC.3 or higher to mitigate the SSRF vulnerability. This update implements filters to prevent the server from retrieving data from private or internal IP addresses, thus preventing unauthorized access to internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34160 is a Server-Side Request Forgery (SSRF) vulnerability in the PENS plugin of Chamilo LMS versions 1.0.0 through 2.0-RC.2, allowing unauthenticated attackers to probe internal services.
You are affected if you are running Chamilo LMS with the PENS plugin in versions 1.0.0 through 2.0-RC.2. Upgrade to 2.0.0-RC.3 or later to mitigate the risk.
The recommended fix is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later. As a temporary workaround, restrict access to the pens.php endpoint and validate the package-url parameter.
There are currently no publicly known active exploits for CVE-2026-34160, but its SSRF nature makes it a likely target for exploitation.
Refer to the official Chamilo security advisory for CVE-2026-34160 on the Chamilo website (check their security announcements page).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.