CVE-2026-33703

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description Chamilo LMS, a learning management system, contains an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} API endpoint. An authenticated user can access full personal data and API tokens of arbitrary users by modifying the userId parameter. This can lead to the disclosure of sensitive user information and credentials, potentially resulting in a full platform data breach.

Recommendations Update to version 2.0.0-RC.3 or later.