CVE-2026-33708: CWE-862: Missing Authorization in chamilo chamilo-lms
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.
AI Analysis
Technical Summary
Chamilo LMS before version 1.11.38 exposes a missing authorization vulnerability (CWE-862) in its get_user_info_from_username REST API endpoint. Authenticated users can access sensitive personal information of other users without proper authorization validation. This issue compromises confidentiality but does not affect integrity or availability. The vulnerability is addressed by updating to Chamilo LMS version 1.11.38.
Potential Impact
An attacker with valid authentication credentials can retrieve personal information of any user, including email addresses, full names, user IDs, and account active status. This exposure can lead to privacy violations and potential social engineering risks. There is no impact on data integrity or system availability reported.
Mitigation Recommendations
Upgrade Chamilo LMS to version 1.11.38 or later, where this authorization issue is fixed. Since no official patch link or vendor advisory is provided, verify the update availability from the official Chamilo project resources. Patch status is not yet confirmed through a vendor advisory; check official sources for the latest remediation guidance.
CVE-2026-33708: CWE-862: Missing Authorization in chamilo chamilo-lms
Description
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Chamilo LMS before version 1.11.38 exposes a missing authorization vulnerability (CWE-862) in its get_user_info_from_username REST API endpoint. Authenticated users can access sensitive personal information of other users without proper authorization validation. This issue compromises confidentiality but does not affect integrity or availability. The vulnerability is addressed by updating to Chamilo LMS version 1.11.38.
Potential Impact
An attacker with valid authentication credentials can retrieve personal information of any user, including email addresses, full names, user IDs, and account active status. This exposure can lead to privacy violations and potential social engineering risks. There is no impact on data integrity or system availability reported.
Mitigation Recommendations
Upgrade Chamilo LMS to version 1.11.38 or later, where this authorization issue is fixed. Since no official patch link or vendor advisory is provided, verify the update availability from the official Chamilo project resources. Patch status is not yet confirmed through a vendor advisory; check official sources for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T17:06:05.747Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d94d8f1cc7ad14dae0faec
Added to database: 4/10/2026, 7:20:47 PM
Last enriched: 4/18/2026, 2:04:12 PM
Last updated: 5/26/2026, 1:42:08 AM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.