{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40291", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.035Z", "datePublished": "2026-04-14T21:37:55.490Z", "dateUpdated": "2026-04-15T14:24:29.902Z"}, "containers": {"cna": {"title": "Chamilo LMS has Privilege Escalation via API User Role Modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x"}, {"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 2.0-RC.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:37:55.490Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3."}], "source": {"advisory": "GHSA-7phx-w897-4c9x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T14:24:20.523815Z", "id": "CVE-2026-40291", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:24:29.902Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40291", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T14:24:20.523815Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:24:26.077Z"}}], "cna": {"title": "Chamilo LMS has Privilege Escalation via API User Role Modification", "source": {"advisory": "GHSA-7phx-w897-4c9x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 2.0-RC.3"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3", "name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:37:55.490Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40291", "state": "PUBLISHED", "dateUpdated": "2026-04-15T14:24:29.902Z", "dateReserved": "2026-04-10T20:22:44.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T21:37:55.490Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3."}], "id": "CVE-2026-40291", "lastModified": "2026-04-14T22:16:32.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:32.507", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0-RC.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-14T23:26:49.531980+00:00", "value": {"mitigation_remediation": ["Upgrade to version 2.0.0\u2011RC.3 or later", "Ensure the roles field is removed from the writable serialization group for non\u2011admin users and verify the is_granted('EDIT', object) expression correctly limits role changes", "Re\u2011audit user roles, remove unintended admin accounts, and review audit logs for recent role modifications"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Chamilo LMS using versions before 2.0.0\u2011RC.3 that expose the user API. The affected product is Chamilo LMS provided by the Chamilo project. Administrators should identify deployments running a pre\u2011RC.3 release and verify that the API is exposed.", "description_and_impact": "Chamilo LMS is an open\u2011source learning management system. An insecure direct object reference was discovered in the PUT /api/users/{id} endpoint, allowing any authenticated user who has the ROLE_STUDENT privilege to modify their own user record. By changing the roles field to include ROLE_ADMIN, the attacker can elevate privileges to full administrative control. This grants access to all courses, user data, grade information and administrative settings, effectively compromising the entire platform.", "risk_and_exploitability": "The assigned CVSS score of 8.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated student account that has network connectivity to the API; the attacker needs only to craft a PUT request to their own user ID and assign the ADMIN role. Because the API's security expression only checks record ownership, further defensive checks are not performed, making exploitation straightforward for any logged\u2011in user. Immediate patching is strongly recommended."}}}}, "created": "2026-04-15T13:48:23.622866+00:00", "updated": "2026-04-15T14:31:57.032946+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}