CVE-2026-3111 is a medium severity vulnerability classified under CWE-284 (Improper Access Control) affecting Educativa Campus, specifically version 14.05.00-35. The vulnerability arises from an Insecure Direct Object Reference (IDOR) at the endpoint '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg', which serves user profile photos in two sizes (80x90 and 40x45). Due to insufficient access control checks, an unauthenticated attacker can manipulate the URL parameters (user ID and username) to retrieve profile photos of any user without authorization. This flaw does not require any authentication or user interaction, making it trivially exploitable remotely over the network. The exposed photos can be collected en masse, enabling attackers to perform malicious activities such as identity impersonation, social engineering attacks, linking identities across different platforms using facial recognition technologies, or doxxing individuals by correlating their images with other personal data. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation pose a significant privacy risk. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact (exposure of photos only). The vulnerability affects only the specified version, and no patches or mitigations have been officially published at the time of disclosure.

The primary impact of CVE-2026-3111 is the unauthorized disclosure of user profile photos, which compromises user privacy and can facilitate further attacks. Organizations using Educativa Campus version 14.05.00-35 risk mass leakage of sensitive biometric data (user images), which can be exploited for identity theft, social engineering, and doxxing. This can damage user trust and lead to reputational harm, especially for educational institutions managing sensitive student and staff data. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach can have cascading effects, including targeted phishing campaigns or harassment. The ease of exploitation without authentication increases the likelihood of automated scraping attacks. Organizations may also face regulatory compliance issues related to data protection laws such as GDPR or CCPA if personal data is exposed. The impact is particularly critical for institutions with large user bases or those in regions with strict privacy regulations.

To mitigate CVE-2026-3111, organizations should immediately implement strict access control checks on the '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg' endpoint to ensure only authorized users can access profile photos. This includes validating the requesting user's identity and permissions before serving images. Employing token-based or session-based authentication mechanisms to restrict access is essential. Additionally, rate limiting and anomaly detection can help identify and block automated scraping attempts. Organizations should monitor access logs for suspicious URL manipulation patterns. If possible, temporarily disabling public access to profile photos until a patch is available can reduce exposure. Educativa should be contacted to obtain or request an official patch or update addressing this vulnerability. User awareness campaigns about phishing and social engineering risks related to exposed images can also reduce downstream impact. Finally, consider implementing privacy-preserving measures such as watermarking images or limiting photo resolution to reduce misuse.