{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33708", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.747Z", "datePublished": "2026-04-10T18:54:35.034Z", "dateUpdated": "2026-04-10T18:54:35.034Z"}, "containers": {"cna": {"title": "Chamilo LMS has REST API PII Exposure via get_user_info_from_username", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T18:54:35.034Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38."}], "source": {"advisory": "GHSA-qwch-82q9-q999", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38."}], "id": "CVE-2026-33708", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T19:16:24.107", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2"}, {"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-10T20:51:05.415682+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Chamilo LMS to version 1.11.38 or later."], "summary": {"action": "Immediate Patch", "impact": "PII Exposure"}, "threat_synthesis": {"affected_systems": "All Chamilo LMS installations running a version earlier than 1.11.38 are affected. Users of these earlier versions, regardless of their role within the system, can exploit the vulnerability to access the personal data of other users.", "description_and_impact": "Chamilo Learning Management System fails to enforce authorization on its get_user_info_from_username REST API, allowing any authenticated user to retrieve sensitive personal details\u2014such as email addresses, first and last names, user IDs, and account status\u2014of any other user, including students. This constitutes a confidentiality breach, exposing personally identifying information and thereby violating privacy requirements.", "risk_and_exploitability": "The vulnerability is rated at a moderate severity score of 6.5. Since the exploit requires only authentication to the LMS, the likelihood of exploitation is high in environments where many users have legitimate access. The actionable exploit vector appears to be any authenticated web request to the exposed API endpoint. The vulnerability is not cataloged as a known exploited vulnerability by the relevant national security agency, and public data on exploit probability is unavailable."}}}}, "created": "2026-04-13T12:43:21.536601+00:00", "updated": "2026-04-13T12:59:41.034152+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}