CVE-2026-40291

moderate-risk

Published 2026-04-14

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (11)

Chamilo Lms

Affected Vendors

Chamilo

References (2)

Product https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3

Vendor Advisory https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 0/34 · Minimal

Exposure 16/34 · Moderate