CVE-2026-40291

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description An insecure direct object modification in the 'PUT /api/users/{id}' endpoint allows authenticated users with the ROLE STUDENT role to escalate their privileges to ROLE ADMIN. This occurs because the security expression is granted('EDIT', object) only verifies record ownership, while the roles field remains in the writable serialization group. By modifying the roles field on their own user record, an attacker can gain full administrative control of the platform, including access to all courses, user data, grades, and administrative settings.

Recommendations Update to version 2.0.0-RC.3.