CVE-2026-1106 is a security vulnerability identified in Chamilo LMS up to version 2.0.0 Beta 1, specifically within the deleteLegal function of the Legal Consent Handler component located in src/CoreBundle/Controller/SocialController.php. The vulnerability arises from improper authorization checks when processing the userId argument, allowing an attacker to manipulate this parameter remotely to bypass intended access controls. This flaw enables unauthorized deletion or modification of legal consent data, which could impact compliance and user data integrity. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and does not require authentication (PR:L) or user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but present, with integrity and availability rated as low impact. The vulnerability has a CVSS 4.0 base score of 5.3 (medium severity). The exploit code has been publicly released, increasing the likelihood of exploitation despite the absence of known active attacks in the wild. The vendor was notified early but has not issued a response or patch, leaving users exposed. This vulnerability primarily affects organizations using the specified Chamilo LMS version, especially those managing legal consent data within their e-learning environments.

The improper authorization vulnerability allows attackers to remotely manipulate userId parameters to delete or alter legal consent records without proper permissions. This can lead to unauthorized data modification or deletion, potentially violating legal compliance requirements related to user consent management. The integrity of consent records is compromised, which may affect audit trails and regulatory adherence. While the availability impact is low, unauthorized deletions could disrupt normal LMS operations or user trust. The lack of authentication requirement and public exploit availability increase the risk of exploitation, especially in environments where Chamilo LMS 2.0.0 Beta 1 is exposed to the internet. Organizations relying on this LMS for critical training or compliance tracking may face operational and reputational damage. The medium CVSS score reflects moderate risk but the real-world impact depends on the sensitivity of the consent data and the deployment context.

Since no official patch or vendor response is currently available, organizations should implement immediate compensating controls. These include restricting network access to the Chamilo LMS instance via firewalls or VPNs to limit exposure to trusted users only. Review and harden access control policies around the Legal Consent Handler functionality, if possible, disabling or restricting the deleteLegal function temporarily. Monitor logs for suspicious requests manipulating userId parameters and set up alerts for anomalous deletion activities. Conduct thorough audits of consent data integrity to detect unauthorized changes. Consider upgrading to a later patched version once available or applying custom code fixes to enforce proper authorization checks on the affected function. Additionally, educate administrators about the vulnerability and the importance of limiting LMS exposure until remediation is complete.