CVE-2026-34160: CWE-306: Missing Authentication for Critical Function in chamilo chamilo-lms
Chamilo LMS versions prior to 2. 0. 0-RC. 3 contain an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the PENS plugin endpoint. This endpoint accepts a user-controlled URL parameter that the server fetches without filtering internal or private IP addresses. Exploitation allows attackers to probe internal network services, access cloud metadata endpoints to steal credentials, or trigger state-changing operations on internal services without authentication. The issue has been fixed in version 2. 0. 0-RC. 3.
AI Analysis
Technical Summary
Chamilo LMS, an open-source learning management system, has a critical vulnerability (CVE-2026-34160) in versions before 2.0.0-RC.3. The PENS plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-supplied package-url parameter. The server fetches this URL using curl without filtering private or internal IP addresses, enabling unauthenticated SSRF attacks. Attackers can leverage this to access internal network resources, cloud metadata services (e.g., 169.254.169.254), potentially stealing IAM credentials and sensitive instance metadata or triggering state-changing operations via callback parameters. This significantly increases the attack surface due to the lack of authentication. The vulnerability is addressed in version 2.0.0-RC.3.
Potential Impact
The vulnerability allows unauthenticated attackers to perform SSRF attacks, potentially accessing sensitive internal network services and cloud metadata endpoints. This can lead to theft of IAM credentials and sensitive instance metadata or manipulation of internal services through state-changing callbacks. The CVSS score of 8.6 indicates a high severity impact with network attack vector, no privileges or user interaction required, and high confidentiality impact but no integrity or availability impact.
Mitigation Recommendations
A fix is available in Chamilo LMS version 2.0.0-RC.3. Users should upgrade to this version or later to remediate the vulnerability. Until upgraded, restrict access to the vulnerable endpoint and monitor for suspicious activity related to SSRF attempts. Patch status is confirmed by the vendor's version release notes indicating the issue is fixed in 2.0.0-RC.3.
CVE-2026-34160: CWE-306: Missing Authentication for Critical Function in chamilo chamilo-lms
Description
Chamilo LMS versions prior to 2. 0. 0-RC. 3 contain an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the PENS plugin endpoint. This endpoint accepts a user-controlled URL parameter that the server fetches without filtering internal or private IP addresses. Exploitation allows attackers to probe internal network services, access cloud metadata endpoints to steal credentials, or trigger state-changing operations on internal services without authentication. The issue has been fixed in version 2. 0. 0-RC. 3.
CVSS v3.1
Score 8.6high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Chamilo LMS, an open-source learning management system, has a critical vulnerability (CVE-2026-34160) in versions before 2.0.0-RC.3. The PENS plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-supplied package-url parameter. The server fetches this URL using curl without filtering private or internal IP addresses, enabling unauthenticated SSRF attacks. Attackers can leverage this to access internal network resources, cloud metadata services (e.g., 169.254.169.254), potentially stealing IAM credentials and sensitive instance metadata or triggering state-changing operations via callback parameters. This significantly increases the attack surface due to the lack of authentication. The vulnerability is addressed in version 2.0.0-RC.3.
Potential Impact
The vulnerability allows unauthenticated attackers to perform SSRF attacks, potentially accessing sensitive internal network services and cloud metadata endpoints. This can lead to theft of IAM credentials and sensitive instance metadata or manipulation of internal services through state-changing callbacks. The CVSS score of 8.6 indicates a high severity impact with network attack vector, no privileges or user interaction required, and high confidentiality impact but no integrity or availability impact.
Mitigation Recommendations
A fix is available in Chamilo LMS version 2.0.0-RC.3. Users should upgrade to this version or later to remediate the vulnerability. Until upgraded, restrict access to the vulnerable endpoint and monitor for suspicious activity related to SSRF attempts. Patch status is confirmed by the vendor's version release notes indicating the issue is fixed in 2.0.0-RC.3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T20:12:04.197Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69deaedd82d89c981f019385
Added to database: 4/14/2026, 9:17:17 PM
Last enriched: 4/22/2026, 6:47:47 AM
Last updated: 5/29/2026, 10:47:02 PM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.