CVE-2026-33708

CVSS v3.1

6.5

Medium

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Chamilo LMS is a learning management system. Prior to 1.11.38, the get user info from username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-33708

Affected Products

Chamilo Lms

CVE-2026-33708

Weakness Enumeration

Related Identifiers

Affected Products

References · 3