Chamilo LMS SSRF Flaw: Unauthenticated Email Relay Risk

/HIGH
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-306cwe-918
Chamilo LMS SSRF Flaw: Unauthenticated Email Relay Risk

The National Vulnerability Database (NVD) has documented CVE-2026-33715, a high-severity vulnerability impacting Chamilo LMS, an open-source learning management system. Specifically, version 2.0-RC.2 contains a critical flaw in the public/main/inc/ajax/install.ajax.php file. This endpoint, unlike others, lacks proper authentication and installation-completed checks because it fails to include the global.inc.php file.

This oversight allows unauthenticated attackers to leverage the test_mailer action. According to the NVD, this action accepts an arbitrary Symfony Mailer DSN string via POST data, which is then used to connect to an attacker-specified SMTP server. This opens the door to Server-Side Request Forgery (SSRF) into internal networks using the SMTP protocol. Beyond network traversal, an unauthenticated attacker can weaponize affected Chamilo servers as open email relays for phishing and spam campaigns, with emails appearing to originate from the server’s IP. Furthermore, failed SMTP connection error responses could inadvertently disclose sensitive information about the internal network topology and running services. The NVD confirms this issue has been patched in version 2.0.0-RC.3.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1571 Non-Standard Port Command and Control T1095 Non-Application Layer Protocol Command and Control

🛡️ Detection Rules

4 rules · 5 SIEM formats

4 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-33715

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

4 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33715 SSRF Chamilo LMS version 2.0-RC.2, file public/main/inc/ajax/install.ajax.php, test_mailer action
CVE-2026-33715 Auth Bypass Chamilo LMS version 2.0-RC.2, file public/main/inc/ajax/install.ajax.php accessible without authentication
CVE-2026-33715 Information Disclosure Chamilo LMS version 2.0-RC.2, SMTP connection error responses disclosing internal network topology/services
CVE-2026-33715 Misconfiguration Chamilo LMS version 2.0-RC.2, public/main/inc/ajax/install.ajax.php missing global.inc.php include

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs