CVE-2026-33710: CWE-330: Use of Insufficiently Random Values in chamilo chamilo-lms
Chamilo LMS versions prior to 1. 11. 38 and 2. 0. 0-RC. 3 generate REST API keys using an insufficiently random method involving md5 hashing of a timestamp and user ID with a flawed random number call. The rand function is called with identical min and max values, causing it to always return the same number, which weakens the randomness of the API keys. This allows an attacker who knows a username and approximate key creation time to brute-force the API key. The vulnerability is assigned CVE-2026-33710 and has a high severity score of 7. 5.
AI Analysis
Technical Summary
CVE-2026-33710 affects Chamilo LMS where REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). Because rand(10000, 10000) always returns 10000, the key generation formula effectively becomes md5(timestamp + user_id*5 - 10000), resulting in insufficient randomness (CWE-330). This predictable key generation enables brute-force attacks if the attacker knows the username and approximate key creation time. The vulnerability impacts versions prior to 1.11.38 and between 2.0.0-alpha.1 and before 2.0.0-RC.3. It has a CVSS 3.1 base score of 7.5 (high severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. The vulnerability is fixed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3.
Potential Impact
An attacker can brute-force REST API keys due to insufficient randomness in key generation, potentially gaining unauthorized read access to sensitive information via the API. The confidentiality of data is at high risk, but integrity and availability are not impacted. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Upgrade Chamilo LMS to version 1.11.38 or later, or to 2.0.0-RC.3 or later, where this vulnerability is fixed. Patch status is confirmed by the version information in the advisory. No other mitigation is indicated.
CVE-2026-33710: CWE-330: Use of Insufficiently Random Values in chamilo chamilo-lms
Description
Chamilo LMS versions prior to 1. 11. 38 and 2. 0. 0-RC. 3 generate REST API keys using an insufficiently random method involving md5 hashing of a timestamp and user ID with a flawed random number call. The rand function is called with identical min and max values, causing it to always return the same number, which weakens the randomness of the API keys. This allows an attacker who knows a username and approximate key creation time to brute-force the API key. The vulnerability is assigned CVE-2026-33710 and has a high severity score of 7. 5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33710 affects Chamilo LMS where REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). Because rand(10000, 10000) always returns 10000, the key generation formula effectively becomes md5(timestamp + user_id*5 - 10000), resulting in insufficient randomness (CWE-330). This predictable key generation enables brute-force attacks if the attacker knows the username and approximate key creation time. The vulnerability impacts versions prior to 1.11.38 and between 2.0.0-alpha.1 and before 2.0.0-RC.3. It has a CVSS 3.1 base score of 7.5 (high severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. The vulnerability is fixed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3.
Potential Impact
An attacker can brute-force REST API keys due to insufficient randomness in key generation, potentially gaining unauthorized read access to sensitive information via the API. The confidentiality of data is at high risk, but integrity and availability are not impacted. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Upgrade Chamilo LMS to version 1.11.38 or later, or to 2.0.0-RC.3 or later, where this vulnerability is fixed. Patch status is confirmed by the version information in the advisory. No other mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T17:06:05.747Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d94d8f1cc7ad14dae0faf0
Added to database: 4/10/2026, 7:20:47 PM
Last enriched: 4/10/2026, 7:35:44 PM
Last updated: 4/10/2026, 9:01:55 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.