Plataforma
php
Componente
pens
Corregido en
2.0.0-RC.3
CVE-2026-34160 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the PENS Plugin of Chamilo LMS. This vulnerability allows an unauthenticated attacker to craft malicious requests through the package-url parameter, potentially exposing internal network services and sensitive data. The vulnerability impacts versions 1.0.0 through 2.0-RC.2, and a fix is available in version 2.0.0-RC.3.
The SSRF vulnerability in the Chamilo LMS PENS plugin poses a significant risk. Attackers can leverage this to probe internal network services, bypassing standard network segmentation. A particularly concerning attack vector involves accessing cloud metadata endpoints, such as 169.254.169.254, which can expose IAM credentials and other sensitive instance metadata. Successful exploitation could lead to unauthorized access to cloud resources, data breaches, and potentially complete compromise of the Chamilo LMS instance and connected systems. This vulnerability shares similarities with other SSRF exploits where attackers use the server as a proxy to access resources it shouldn't.
CVE-2026-34160 was published on 2026-04-14. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. There are no publicly known proof-of-concept exploits available at this time, but the SSRF nature of the vulnerability makes it likely that one will emerge. The vulnerability's ease of exploitation and potential impact warrant close monitoring.
Organizations utilizing Chamilo LMS, particularly those deploying it in cloud environments (AWS, Azure, GCP), are at significant risk. Shared hosting environments where multiple Chamilo instances reside on the same server are also vulnerable, as a compromise of one instance could potentially lead to the compromise of others. Legacy Chamilo installations that have not been regularly updated are especially susceptible.
• web: Use curl or wget to check if the pens.php endpoint is accessible without authentication and if the package-url parameter accepts arbitrary URLs.
curl -I http://your-chamilo-instance/public/plugin/Pens/pens.php?package-url=http://169.254.169.254/latest/meta-data/iam/security-credentials/admin• generic web: Examine access and error logs for requests to pens.php with unusual or internal IP addresses in the package-url parameter.
• php: Review the pens.php file for the absence of input validation on the package-url parameter.
disclosure
Estado del Exploit
EPSS
0.06% (19% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-34160 is to immediately upgrade Chamilo LMS to version 2.0.0-RC.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the PENS plugin endpoint (public/plugin/Pens/pens.php) using a Web Application Firewall (WAF) or proxy server to block requests to internal or sensitive IP addresses. Implement strict input validation on the package-url parameter to prevent malicious URLs. Monitor access logs for suspicious requests originating from the PENS plugin. After upgrading, confirm the fix by attempting to access an internal service through the package-url parameter; the request should be blocked.
Actualice el plugin PENS a la versión 2.0.0-RC.3 o superior para mitigar la vulnerabilidad de SSRF. Esta actualización implementa filtros para evitar que el servidor recupere datos de direcciones IP privadas o internas, previniendo así el acceso no autorizado a recursos internos.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-34160 is a Server-Side Request Forgery (SSRF) vulnerability in the PENS plugin of Chamilo LMS versions 1.0.0 through 2.0-RC.2, allowing unauthenticated attackers to probe internal services.
You are affected if you are running Chamilo LMS with the PENS plugin in versions 1.0.0 through 2.0-RC.2. Upgrade to 2.0.0-RC.3 or later to mitigate the risk.
The recommended fix is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later. As a temporary workaround, restrict access to the pens.php endpoint and validate the package-url parameter.
There are currently no publicly known active exploits for CVE-2026-34160, but its SSRF nature makes it a likely target for exploitation.
Refer to the official Chamilo security advisory for CVE-2026-34160 on the Chamilo website (check their security announcements page).
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.