CVE-2026-40291

Published: Apr 14, 2026

Modified: Apr 15, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.

Vendor	Product	Versions
chamilo	chamilo-lms	affected `< 2.0-RC.3`

Weaknesses (CWE)

CWE-269

CWE-863

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x

x_refsource_CONFIRM

https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-40291

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References