CVE-2026-1106 identifies an improper authorization vulnerability in Chamilo LMS up to version 2.0.0 Beta 1, affecting the deleteLegal function within the Legal Consent Handler component (src/CoreBundle/Controller/SocialController.php). The vulnerability arises because the function does not properly validate the userId parameter, allowing an attacker to manipulate this argument remotely to perform unauthorized deletions or modifications of legal consent records. This flaw does not require authentication or user interaction, and the attack vector is network-based, increasing the risk of exploitation. The improper authorization means that an attacker can bypass intended access controls, potentially deleting or altering sensitive legal consent data that may be critical for compliance with data protection regulations such as GDPR. The vendor was notified early but has not responded or released a patch, leaving systems exposed. The CVSS 4.0 score of 5.3 reflects a medium severity, with the attack complexity low and no privileges or user interaction needed. Although no exploits are currently reported in the wild, the public availability of the exploit code increases the likelihood of future attacks. Chamilo LMS is an open-source learning management system widely used by educational institutions and organizations for e-learning, making this vulnerability particularly relevant to entities managing sensitive user data and consent information.

For European organizations, especially educational institutions and training providers using Chamilo LMS, this vulnerability poses a risk to the confidentiality and integrity of legal consent data. Unauthorized deletion or modification of consent records can lead to non-compliance with GDPR and other data protection laws, potentially resulting in legal penalties and reputational damage. The ability to exploit this vulnerability remotely without authentication increases the attack surface, allowing threat actors to target vulnerable LMS deployments over the internet. Disruption or manipulation of consent data can also undermine trust in the LMS platform and impact the organization's ability to demonstrate lawful data processing. Additionally, if attackers leverage this flaw as part of a broader attack chain, it could facilitate further unauthorized access or data breaches. The medium severity rating suggests a moderate but tangible risk that should not be ignored, particularly given the lack of vendor response and patch availability.

1. Immediately restrict network access to the Chamilo LMS instance, limiting it to trusted IP addresses or VPN connections to reduce exposure to remote attackers. 2. Implement strict monitoring and logging of all requests to the deleteLegal function or related endpoints, with alerts for unusual or unauthorized userId parameter manipulations. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function. 4. Conduct a thorough audit of existing legal consent data to identify any unauthorized changes or deletions. 5. Engage with the Chamilo community or security forums to track any unofficial patches or workarounds until an official fix is released. 6. If feasible, consider temporarily disabling or restricting the functionality related to legal consent management until the vulnerability is addressed. 7. Educate LMS administrators about the vulnerability and encourage prompt application of any future vendor patches or updates. 8. Review and strengthen access control mechanisms within the LMS to prevent similar authorization bypass issues in other components.