CVE-2026-3110 is a high-severity vulnerability classified under CWE-284 (Improper Access Control) found in Educativa Campus, specifically version 14.05.00-35. The vulnerability exists in the endpoint '/administracion/admin_usuarios.cgi' which handles exporting user data enrolled in courses via an XLSX file. The parameter 'wid_cursoActual' is used to specify the course ID, but it lacks proper authorization checks, allowing unauthenticated attackers to enumerate course IDs through brute-force attacks. By manipulating this parameter, attackers can retrieve sensitive personal information of users enrolled in any course, including usernames, first and last names, email addresses, and phone numbers. The vulnerability does not require authentication, user interaction, or privileges, making exploitation straightforward. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no authentication, and high confidentiality impact. Although no exploits are currently known in the wild and no patches have been published, the risk of data leakage and privacy violations is significant. This vulnerability highlights a critical failure in access control mechanisms within the Educativa Campus platform, potentially exposing large volumes of sensitive educational user data.

The primary impact of CVE-2026-3110 is the unauthorized disclosure of sensitive personal data of users enrolled in courses on the Educativa Campus platform. This breach of confidentiality can lead to privacy violations, identity theft, phishing campaigns, and social engineering attacks targeting affected individuals. Educational institutions using this platform may suffer reputational damage, legal consequences under data protection regulations (such as GDPR or local privacy laws), and loss of trust from students and staff. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate data harvesting at scale, potentially compromising data for all courses hosted on vulnerable instances. While the vulnerability does not directly affect system integrity or availability, the exposure of personal data is critical in educational environments where privacy is paramount. Organizations worldwide using Educativa Campus or similar systems face increased risk of targeted attacks and regulatory scrutiny if this vulnerability remains unmitigated.

To mitigate CVE-2026-3110, organizations should immediately implement strict access control checks on the '/administracion/admin_usuarios.cgi' endpoint, ensuring that only authenticated and authorized users can access course user data exports. Rate limiting and anomaly detection should be applied to prevent brute-force enumeration of course IDs. If possible, disable or restrict the export functionality until a secure patch is available. Employ web application firewalls (WAFs) to detect and block suspicious URL parameter manipulation attempts. Conduct thorough code reviews and penetration testing focusing on IDOR vulnerabilities across all endpoints handling sensitive data. Educate administrators about monitoring logs for unusual access patterns related to course data exports. Coordinate with Educativa for timely patch deployment once available. Additionally, consider encrypting sensitive data at rest and in transit to reduce exposure risk. Finally, review and update privacy policies and incident response plans to prepare for potential data breach scenarios.