Platform
php
Component
chamilo-lms
Fixed in
2.0.1
CVE-2026-40291 describes a privilege escalation vulnerability within Chamilo LMS, an open-source learning management system. This flaw allows authenticated users with the ROLESTUDENT role to elevate their privileges to the highly privileged ROLEADMIN role. The vulnerability impacts versions of Chamilo LMS prior to 2.0.0-RC.3, and a fix is available in version 2.0.0-RC.3.
An attacker exploiting this vulnerability can gain complete administrative control over the Chamilo LMS instance. This includes the ability to modify user accounts, change system settings, access sensitive data, and potentially compromise the entire learning environment. The insecure direct object modification occurs through the /api/users/{id} endpoint, where the API Platform's security expression fails to properly validate user roles. The roles field, being included in the writable serialization group, allows attackers to arbitrarily assign roles, including ROLE_ADMIN, to their accounts. This represents a significant security risk, potentially leading to data breaches, system disruption, and unauthorized access to learning materials.
CVE-2026-40291 was publicly disclosed on 2026-04-14. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40291 is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting access to the /api/users/{id} endpoint for ROLESTUDENT users. Review API Platform security expressions to ensure proper role validation. Monitor API logs for suspicious activity, specifically modifications to user roles. After upgrading, confirm the fix by attempting to escalate a ROLESTUDENT user to ROLE_ADMIN via the /api/users/{id} endpoint; the request should be rejected.
Update Chamilo LMS to version 2.0.0-RC.3 or higher to mitigate the privilege escalation vulnerability. This update corrects the role validation flaw in the API, preventing users with limited roles from modifying their roles to administrator.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40291 is a vulnerability in Chamilo LMS versions prior to 2.0.0-RC.3 that allows authenticated ROLESTUDENT users to escalate their privileges to ROLEADMIN.
You are affected if you are using Chamilo LMS versions 2.0-RC.3 or earlier. Upgrade to 2.0.0-RC.3 or later to mitigate the risk.
Upgrade Chamilo LMS to version 2.0.0-RC.3 or later. As a temporary workaround, restrict access to the /api/users/{id} endpoint for ROLE_STUDENT users.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official Chamilo LMS security advisories on their website for the latest information and updates regarding CVE-2026-40291.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.