Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

INFO

Published Date :

2026-04-10T18:59:24.111Z

Last Modified :

2026-04-13T15:36:06.835Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33710 vulnerability.

Vendors Products
Chamilo
  • Chamilo Lms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33710.

URL Resource
https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09 cve-icon cve-icon
https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d cve-icon cve-icon
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact