CVE-2026-34160
CVE-2026-34160 is a high-severity vulnerability in Chamilo Chamilo Lms with a CVSS 3.x base score of 8.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-306.
Key facts
- Severity: High (CVSS 3.x base score 8.6)
- EPSS exploit prediction: 0% (26th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-22712
- Weakness: CWE-306
- Affected product: Chamilo Chamilo Lms
- Published:
- Last modified:
Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.
Frequently asked questions
- What is CVE-2026-34160?
- Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.
- How severe is CVE-2026-34160?
- CVE-2026-34160 has a CVSS 3.x base score of 8.6, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-34160 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-34160?
- CVE-2026-34160 primarily affects Chamilo Chamilo Lms. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-34160?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-34160 have an EU (EUVD) identifier?
- Yes. CVE-2026-34160 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-22712.
- When was CVE-2026-34160 published?
- CVE-2026-34160 was published on 2026-04-14 and last updated on 2026-06-17.
References
- https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011
- https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276
Affected products (11)
- cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*
More vulnerabilities in Chamilo Chamilo Lms
- CVE-2026-33698 — Critical (CVSS 9.8): Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code…
- CVE-2026-28430 — Critical (CVSS 9.8): Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection…
- CVE-2025-52998 — Critical (CVSS 9.8): Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is…
- CVE-2025-50192 — Critical (CVSS 9.8): Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in…
- CVE-2025-50190 — Critical (CVSS 9.8): Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET…
- CVE-2025-50187 — Critical (CVSS 9.8): Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without…
All CVEs affecting Chamilo Chamilo Lms →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →