Chamilo LMS REST API Key Brute-Force Vulnerability (CVE-2026-33710)

Chamilo LMS, a popular learning management system, contains a vulnerability in versions prior to 1.11.38 and 2.0.0-RC.3 related to the generation of REST API keys (CVE-2026-33710). The API keys are generated using a flawed algorithm: md5(time() + (user_id * 5) - rand(10000, 10000)). Due to rand(10000, 10000) always returning 10000, the formula simplifies to md5(timestamp + user_id*5 - 10000). An attacker knowing a valid username and a rough estimate of when the API key was generated can brute-force the key due to the limited entropy. This vulnerability allows unauthorized access to the Chamilo LMS REST API. The vulnerability was reported and patched in versions 1.11.38 and 2.0.0-RC.3. This poses a significant threat to educational institutions and organizations using vulnerable versions of Chamilo LMS.

Attack Chain

1. Attacker identifies a target Chamilo LMS instance running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).
2. Attacker obtains a valid username on the target Chamilo LMS instance through OSINT or credential stuffing.
3. Attacker estimates the API key creation time. This might be inferred from user activity or system logs.
4. Attacker crafts a script to generate potential API keys based on the predictable formula md5(timestamp + user_id*5 - 10000) using the known username and estimated timestamp.
5. The script iterates through a range of timestamps around the estimated creation time, generating corresponding MD5 hashes.
6. Attacker sends API requests with the generated API keys to the Chamilo LMS server.
7. The server validates the API key against the user.
8. Upon successful validation, the attacker gains unauthorized access to the Chamilo LMS REST API, potentially allowing them to modify course content, access user data, or perform other malicious actions.

Impact

Successful exploitation of CVE-2026-33710 can lead to unauthorized access to sensitive data within the Chamilo LMS, including user information, course materials, and grades. This could result in data breaches, academic fraud, and reputational damage for affected organizations. The vulnerability affects all organizations running vulnerable versions of Chamilo LMS; the number of victims is correlated to the number of vulnerable deployments.

Recommendation

• Upgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-33710.
• Monitor web server logs for unusual API requests originating from unexpected IP addresses, especially those containing potentially valid API keys by deploying the provided Sigma rule.
• Implement rate limiting on API endpoints to mitigate brute-force attempts.
• If upgrading is not immediately feasible, consider temporarily disabling the REST API.
• Review and audit user permissions within Chamilo LMS to minimize the impact of potential unauthorized access.