Chamilo LMS, an open-source learning management system, suffers from a blind Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2025-50199. This vulnerability is located in the /index.php script, specifically in the handling of the POST parameter openid_url. Prior to version 1.11.30, the application fails to properly validate or sanitize this parameter, allowing an attacker to coerce the server into making arbitrary HTTP requests to internal or external resources. Because the SSRF is blind, the attacker does not receive direct feedback from the targeted resource, but can still use side channels or server behavior to infer results. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N) indicates network attack vector, low complexity, no privileges or user interaction, and high scope impact on confidentiality, integrity, and availability. The flaw could be leveraged to access internal services not exposed externally, potentially leading to sensitive data exposure, internal network reconnaissance, or further exploitation chains. The issue was reserved in June 2025 and published in March 2026, with no known public exploits reported yet. The vendor patched this vulnerability in Chamilo LMS version 1.11.30, and users are strongly advised to upgrade to this or later versions.

The SSRF vulnerability in Chamilo LMS can have significant impacts on organizations using affected versions. Attackers can exploit this flaw to make the LMS server send arbitrary HTTP requests, potentially accessing internal-only services such as databases, metadata services in cloud environments, or administrative interfaces. This can lead to unauthorized information disclosure, including sensitive internal network details or credentials. Additionally, SSRF can be a stepping stone for further attacks like remote code execution or lateral movement within the network. Given that Chamilo LMS is widely used in educational institutions, the compromise of such systems could disrupt learning activities, expose student and staff data, and damage institutional reputation. The lack of authentication or user interaction requirements increases the risk of automated exploitation attempts. Although no known exploits are currently active in the wild, the high CVSS score and broad attack surface mean organizations should treat this vulnerability as a critical risk until patched.

Organizations should immediately upgrade Chamilo LMS installations to version 1.11.30 or later, where this SSRF vulnerability has been patched. Until upgrading is possible, administrators should implement network-level controls to restrict outbound HTTP requests from the LMS server, limiting access to only trusted destinations. Web application firewalls (WAFs) can be configured to detect and block suspicious POST requests containing the openid_url parameter or unusual request patterns. Monitoring server logs for anomalous outbound requests or unexpected internal resource access attempts can help detect exploitation attempts. Additionally, applying the principle of least privilege to the LMS server's network permissions and isolating it from sensitive internal services reduces potential impact. Regularly auditing and updating all third-party components and dependencies is also recommended to prevent similar vulnerabilities.