Chamilo LMS, an open-source learning management system widely used in educational institutions and organizations, was found to have a user enumeration vulnerability identified as CVE-2026-30876. This vulnerability is classified under CWE-204 (Observable Response Discrepancy), where the application reveals information about valid usernames by responding differently to authentication or user validation requests depending on whether the username exists. Specifically, versions of Chamilo LMS prior to 1.11.36 exhibit distinct response behaviors—such as differing error messages, response times, or HTTP status codes—that allow unauthenticated remote attackers to determine valid usernames. This information leakage can be leveraged to facilitate further attacks like credential stuffing, brute force password guessing, or social engineering. The CVSS v4.0 base score is 6.3, reflecting medium severity due to network attack vector, low complexity, no privileges or user interaction required, but limited to information disclosure without direct impact on confidentiality, integrity, or availability. The vulnerability was patched in version 1.11.36 by standardizing responses to authentication attempts to prevent attackers from distinguishing valid from invalid usernames. No known exploits are currently reported in the wild, but the vulnerability's presence in widely deployed LMS software makes timely patching critical.

The primary impact of CVE-2026-30876 is information disclosure through user enumeration, which can significantly aid attackers in identifying valid user accounts within an organization’s Chamilo LMS deployment. This can lead to increased risk of targeted phishing campaigns, credential stuffing attacks, and brute force password attempts against confirmed usernames. While the vulnerability does not allow direct unauthorized access or data manipulation, the enumeration capability lowers the attacker's effort and increases the likelihood of successful subsequent attacks. For educational institutions and organizations relying on Chamilo LMS for sensitive or personal data, this can result in compromised user accounts, privacy violations, and potential reputational damage. Additionally, automated scanning tools could exploit this vulnerability at scale, increasing the attack surface. The lack of required authentication or user interaction means attackers can perform enumeration remotely and stealthily, increasing risk especially in internet-facing LMS deployments.

To mitigate CVE-2026-30876, organizations should immediately upgrade Chamilo LMS to version 1.11.36 or later, where the vulnerability is patched. If immediate upgrade is not feasible, administrators should implement application-layer mitigations such as uniform error messages and response times for authentication failures to obfuscate valid usernames. Rate limiting and IP-based throttling on login and user validation endpoints can reduce the effectiveness of enumeration attempts. Deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious enumeration patterns can provide additional protection. Monitoring authentication logs for repeated failed attempts and unusual access patterns can help detect ongoing enumeration attacks. Educating users about phishing risks and enforcing strong password policies, including multi-factor authentication where possible, will reduce the impact of compromised credentials obtained through enumeration-facilitated attacks.