Chamilo LMS IDOR Flaw Exposes User-Course Enrollments

/HIGH
SCW vulnerabilitycvehigh-severitycwe-639
Chamilo LMS IDOR Flaw Exposes User-Course Enrollments

The National Vulnerability Database has flagged CVE-2026-34602, a high-severity Insecure Direct Object Reference (IDOR) vulnerability impacting Chamilo LMS, an open-source learning management system. Specifically, versions prior to 2.0.0-RC.3 are susceptible via the /api/course_rel_users endpoint. This flaw allows an authenticated attacker to manipulate the user parameter in a request, enabling them to enroll any user into any course without proper authorization.

This isn’t just a minor oversight; it’s a classic IDOR where the backend blindly trusts user-supplied input without verifying if the requester actually owns or has permission to act on behalf of the referenced user ID. The implications are pretty stark: unauthorized access to course materials, bypassing enrollment controls, and a significant hit to platform integrity. Imagine someone getting access to sensitive training modules they shouldn’t even know exist. The good news is, Chamilo has addressed this in version 2.0.0-RC.3, so patching is critical.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1190 Exploit Public-Facing Application Initial Access T1529 System Shutdown/Reboot Impact

🛡️ Detection Rules

6 rules · 5 SIEM formats

6 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

high T1078.004 Initial Access

Credential Abuse from Breached Vendor — CVE-2026-34602

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

6 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-34602 IDOR Chamilo LMS versions prior to 2.0.0-RC.3
CVE-2026-34602 IDOR Vulnerable endpoint: /api/course_rel_users
CVE-2026-34602 IDOR Parameter: user in request body

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs