Description

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.

INFO

Published Date :

2026-04-14T21:37:55.490Z

Last Modified :

2026-04-15T14:24:29.902Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40291 vulnerability.

Vendors Products
Chamilo
  • Chamilo Lms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40291.

URL Resource
https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3 cve-icon cve-icon
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact