プラットフォーム
php
コンポーネント
chamilo-lms
修正版
2.0.1
CVE-2026-40291 describes a privilege escalation vulnerability within Chamilo LMS, an open-source learning management system. This flaw allows authenticated users with the ROLESTUDENT role to elevate their privileges to the highly privileged ROLEADMIN role. The vulnerability impacts versions of Chamilo LMS prior to 2.0.0-RC.3, and a fix is available in version 2.0.0-RC.3.
An attacker exploiting this vulnerability can gain complete administrative control over the Chamilo LMS instance. This includes the ability to modify user accounts, change system settings, access sensitive data, and potentially compromise the entire learning environment. The insecure direct object modification occurs through the /api/users/{id} endpoint, where the API Platform's security expression fails to properly validate user roles. The roles field, being included in the writable serialization group, allows attackers to arbitrarily assign roles, including ROLE_ADMIN, to their accounts. This represents a significant security risk, potentially leading to data breaches, system disruption, and unauthorized access to learning materials.
CVE-2026-40291 was publicly disclosed on 2026-04-14. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of writing.
Educational institutions and organizations utilizing Chamilo LMS for online learning are at risk. Specifically, deployments with a large number of student users and those relying heavily on the LMS API for integrations are particularly vulnerable. Organizations using older, unpatched versions of Chamilo LMS are also at increased risk.
• php: Examine Chamilo LMS API logs for requests to /api/users/{id} where the roles field is being modified by a user with ROLE_STUDENT.
grep 'ROLE_STUDENT.*roles' /var/log/chamilo/api.log• generic web: Monitor access logs for unusual patterns of requests to the /api/users/{id} endpoint, particularly those originating from users with the ROLE_STUDENT role.
grep '/api/users/[0-9]+/ 192.168.1.100' /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.04% (13% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-40291 is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting access to the /api/users/{id} endpoint for ROLESTUDENT users. Review API Platform security expressions to ensure proper role validation. Monitor API logs for suspicious activity, specifically modifications to user roles. After upgrading, confirm the fix by attempting to escalate a ROLESTUDENT user to ROLE_ADMIN via the /api/users/{id} endpoint; the request should be rejected.
権限昇格の脆弱性を軽減するために、Chamilo LMS を 2.0.0-RC.3 以降のバージョンにアップデートしてください。このアップデートは、API におけるロール検証の不具合を修正し、制限されたロールのユーザーが管理者ロールに変更できないようにします。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-40291 is a vulnerability in Chamilo LMS versions prior to 2.0.0-RC.3 that allows authenticated ROLESTUDENT users to escalate their privileges to ROLEADMIN.
You are affected if you are using Chamilo LMS versions 2.0-RC.3 or earlier. Upgrade to 2.0.0-RC.3 or later to mitigate the risk.
Upgrade Chamilo LMS to version 2.0.0-RC.3 or later. As a temporary workaround, restrict access to the /api/users/{id} endpoint for ROLE_STUDENT users.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official Chamilo LMS security advisories on their website for the latest information and updates regarding CVE-2026-40291.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。