{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33706/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33706"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","CVE-2026-33706"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33706 affects Chamilo LMS, a learning management system. Prior to version 1.11.38, the vulnerability allows an authenticated user, specifically a student (status=5), with a valid REST API key, to elevate their privileges. This is achieved by exploiting the \u003ccode\u003eupdate_user_from_username\u003c/code\u003e endpoint in the REST API. By sending a crafted request, a student can modify their user status to Teacher/CourseManager (status=1). This privilege escalation grants the attacker the ability to create and manage courses, access sensitive data, and potentially disrupt the learning environment. The vulnerability has been patched in version 1.11.38, so upgrading is strongly recommended. This vulnerability highlights the importance of proper access controls and input validation in web applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains valid credentials for a student account within the Chamilo LMS.\u003c/li\u003e\n\u003cli\u003eAttacker generates a REST API key associated with their student account.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eupdate_user_from_username\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the attacker\u0026rsquo;s username and a modified status value (e.g., from 5 to 1) within the request body.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the Chamilo LMS server, authenticating with their REST API key.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS server, lacking proper authorization checks, updates the attacker\u0026rsquo;s user status in the database.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out and then logs back in to the Chamilo LMS.\u003c/li\u003e\n\u003cli\u003eUpon re-authentication, the attacker now has Teacher/CourseManager privileges, enabling them to create and manage courses, access student data, and modify system settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33706 allows a student to gain administrative control over the Chamilo LMS platform. This can lead to unauthorized course creation, modification of student grades, data theft, and disruption of the learning environment. The number of potential victims depends on the number of Chamilo LMS instances running a vulnerable version (prior to 1.11.38). If successful, an attacker could potentially compromise the entire learning platform and its users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-33706.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies and regularly audit user permissions to prevent unauthorized privilege escalation.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003eupdate_user_from_username\u003c/code\u003e endpoint (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts in real-time.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-privesc/","summary":"Chamilo LMS before 1.11.38 allows authenticated users with a REST API key to escalate their privileges by modifying their user status via the update_user_from_username endpoint, potentially granting unauthorized course management capabilities.","title":"Chamilo LMS Privilege Escalation via REST API (CVE-2026-33706)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-33706","version":"https://jsonfeed.org/version/1.1"}