Auth bypass in Chamilo Chamilo-lms

CVE-2026-33703

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data an…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (11.0th percentile) — read the EPSS interpretation.

Affected products

Chamilo Chamilo-lms — versions < 2.0.0-RC.3

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5 (x_refsource_CONFIRM)