CVE-2026-1106

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions up to 2.0.0 Beta 1

Description A security flaw exists in Chamilo LMS that allows for remote unauthorized access due to improper authorization. The issue is located within the deleteLegal function of the Legal Consent Handler component, specifically in the file src/CoreBundle/Controller/SocialController.php. Manipulation of the userId argument can lead to unauthorized actions. The exploit for this issue has been publicly released.

Recommendations Versions prior to 2.0.0 Beta 1 should be used. As a temporary workaround, consider restricting access to the deleteLegal() function until a patch is available.