CVE-2026-33710

Published: Apr 10, 2026

Modified: Apr 13, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Vendor	Product	Versions
chamilo	chamilo-lms	affected `< 1.11.38` affected `>= 2.0.0-alpha.1, < 2.0.0-RC.3`

Weaknesses (CWE)

CWE-330

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39

x_refsource_CONFIRM

https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09

x_refsource_MISC

https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33710

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References