CVE-2026-33706

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.38

Description Chamilo LMS is a learning management system. Authenticated users with a REST API key can modify their own status field via the update user from username API endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges.

Recommendations Update to version 1.11.38 or later.