Cve-2026-31940 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-31940/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 11 Apr 2026 14:30:00 +0000Chamilo LMS Session Fixation Vulnerability (CVE-2026-31940)https://feed.craftedsignal.io/briefs/2026-04-chamilo-session-fixation/Sat, 11 Apr 2026 14:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-session-fixation/Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to session fixation due to user-controlled request parameters being used to set the PHP session ID, potentially allowing attackers to hijack user sessions.Chamilo LMS, a learning management system, is susceptible to a session fixation vulnerability (CVE-2026-31940) in versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability stems from the application’s handling of user-controlled request parameters in the main/lp/aicc_hacp.php file. Specifically, these parameters are used directly to set the PHP session ID before the global bootstrap is loaded. This allows an attacker to potentially set a predictable session ID for a user, leading to session hijacking. The vulnerability was reported and patched, with fixes available in versions 1.11.38 and 2.0.0-RC.3. This is important for defenders to address to ensure integrity and confidentiality of user sessions.

Attack Chain

  1. Attacker crafts a malicious URL or form containing a specific session ID.
  2. Attacker lures a victim to access the crafted URL or form.
  3. The victim’s browser sends a request to the Chamilo LMS server with the attacker-controlled session ID.
  4. The Chamilo LMS application, specifically the main/lp/aicc_hacp.php script, uses the attacker-provided session ID to initialize the PHP session.
  5. The victim authenticates to the Chamilo LMS application.
  6. The attacker uses the predetermined session ID to access the victim’s authenticated session.
  7. Attacker gains unauthorized access to the victim’s account and associated data within the Chamilo LMS.

Impact

Successful exploitation of this vulnerability allows an attacker to hijack legitimate user sessions on a Chamilo LMS instance. This could result in unauthorized access to sensitive student or instructor data, modification of course content, or other malicious activities. The impact is high, particularly for educational institutions and organizations that rely on Chamilo LMS for their online learning platforms.

Recommendation

  • Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31940.
  • Monitor web server logs for suspicious requests to main/lp/aicc_hacp.php containing unusual session ID parameters. Use the provided Sigma rule to detect potential exploitation attempts.
  • Implement the “Detect Potentially Malicious Session ID Parameter” Sigma rule to identify exploitation attempts.
]]>mediumadvisorysession-fixationweb-applicationcve-2026-31940