CVE-2026-1106 is an improper authorization vulnerability identified in Chamilo LMS up to version 2.0.0 Beta 1. The vulnerability resides in the deleteLegal function within the Legal Consent Handler component, specifically in the file src/CoreBundle/Controller/SocialController.php. The flaw allows an attacker to remotely manipulate the userId parameter to bypass authorization checks, enabling unauthorized deletion of legal consent records associated with users. This improper authorization does not require authentication or user interaction, making it remotely exploitable over the network with low complexity. The vulnerability affects the integrity of user consent data, which is critical for compliance with legal and regulatory frameworks such as GDPR. The CVSS 4.0 vector indicates no privileges required (PR:L), no user interaction (UI:N), and low attack complexity (AC:L), with partial impact on integrity and availability. The vendor has not issued a patch or responded to disclosure, and public exploit code is available, increasing the likelihood of exploitation. Chamilo LMS is an open-source learning management system widely used in educational institutions and corporate training environments, making this vulnerability relevant to organizations relying on it for managing user consents and legal compliance.

For European organizations, the improper authorization vulnerability in Chamilo LMS poses significant risks to data integrity and compliance with data protection regulations such as GDPR. Unauthorized deletion of legal consent records can lead to non-compliance with consent management requirements, potentially resulting in legal penalties and reputational damage. Educational institutions and corporate training providers using Chamilo LMS may face disruptions in their learning management operations and increased risk of data breaches. The remote exploitability without authentication increases the attack surface, allowing threat actors to target vulnerable systems over the internet. This could also facilitate further attacks by removing or altering consent records, undermining trust and auditability. The lack of vendor response and patches exacerbates the risk, requiring organizations to implement compensating controls promptly. The medium CVSS score reflects moderate severity but the potential regulatory and operational impacts elevate the threat's importance in the European context.

European organizations should immediately audit their Chamilo LMS deployments to identify affected versions, specifically 2.0.0 Beta 1 or earlier. Until an official patch is released, implement strict input validation and sanitization on the userId parameter at the application or web server level to prevent unauthorized manipulation. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the deleteLegal function. Restrict network access to Chamilo LMS administrative interfaces using IP whitelisting or VPNs to limit exposure to trusted users only. Conduct thorough access control reviews to ensure that only authorized personnel have permissions related to legal consent management. Monitor application logs for anomalous deletion requests or unauthorized access attempts. Engage with the Chamilo community or security forums for updates or unofficial patches. Plan for rapid deployment of vendor patches once available and consider alternative LMS solutions if timely remediation is not feasible. Additionally, reinforce organizational policies on consent data handling and incident response readiness.