CVE-2026-33736

Description

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

chamilo / chamilo-lms>= 2.0.0-alpha.1, < 2.0.0-RC.3 – >= 2.0.0-alpha.1, < 2.0.0-RC.3

References

VENDOR_ADVISORYhttps://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9
PATCHhttps://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109