CVE-2026-33736

Published Apr 10, 2026

Last updated 14 days ago

CVSS medium 6.5

lms

Overview

Description: Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3.
Source: security-advisories@github.com
NVD status: Analyzed
Products: chamilo_lms

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-639

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*",
            "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*",
            "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*",
            "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*",
            "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*",
            "matchCriteriaId": "A84A06F9-5AB7-4703-8153-33AC68882B95",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*",
            "matchCriteriaId": "B91302A3-53DE-4ED0-BAAB-FE9DA03F8242",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*",
            "matchCriteriaId": "46008D4A-96F7-4E04-8256-E115AAAE3383",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*",
            "matchCriteriaId": "6E2BCAFF-D44B-4E67-998A-DF855E27606B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*",
            "matchCriteriaId": "D2E7D018-E4C2-45F5-8D9A-DAC947173607",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*",
            "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References