CVE-2026-33703

Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens

Description

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3.

INFO

Published Date :

2026-04-10T18:23:01.031Z

Last Modified :

2026-04-10T18:23:01.031Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-33703 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33703.

URL	Resource
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability