Chamilo LMS SSRF: Unauthenticated Attack Poses High Risk

The open-source learning management system, Chamilo LMS, is grappling with a severe Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-34160. According to the National Vulnerability Database, versions prior to 2.0.0-RC.3 are affected. The flaw resides in the PENS (Package Exchange Notification Services) plugin, specifically at the public/plugin/Pens/pens.php endpoint.

Critically, this endpoint is accessible without any authentication. Attackers can manipulate a package-url parameter, which the server fetches using curl. The kicker? There’s no filtering for private or internal IP addresses. This oversight enables unauthenticated SSRF, allowing a threat actor to probe internal network services, potentially accessing sensitive cloud metadata endpoints like 169.254.169.254. Such access could lead to the theft of IAM credentials or other sensitive instance metadata. Furthermore, the receipt and alerts callback parameters can be leveraged to trigger state-changing operations on internal services. The fact that no authentication is required for either SSRF vector significantly broadens the attack surface, making this a prime target for initial access. The National Vulnerability Database indicates a CVSS score of 8.6 (HIGH) for this issue, which has been addressed in version 2.0.0-RC.3.