{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33707/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.4,"id":"CVE-2026-33707"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33707","chamilo","lms","password-reset","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a widely used learning management system, is susceptible to a critical vulnerability (CVE-2026-33707) affecting versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability lies within the default password reset mechanism, which generates password reset tokens by applying SHA1 hashing directly to user email addresses. This flawed process lacks essential security measures, including the addition of random salts, token expiration, and rate limiting. An attacker who obtains a target user\u0026rsquo;s email address can calculate the password reset token and gain unauthorized access to the user\u0026rsquo;s account, bypassing authentication controls. The vulnerability was publicly disclosed in April 2026 and patched in versions 1.11.38 and 2.0.0-RC.3. Organizations using vulnerable versions of Chamilo LMS are at high risk of account compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a valid email address associated with a Chamilo LMS user. This information may be obtained through OSINT or data breaches.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the password reset page of the Chamilo LMS instance.\u003c/li\u003e\n\u003cli\u003eThe attacker enters the victim\u0026rsquo;s email address into the password reset form.\u003c/li\u003e\n\u003cli\u003eThe system generates a password reset token by applying SHA1 to the victim\u0026rsquo;s email address without any salt or random component.\u003c/li\u003e\n\u003cli\u003eThe attacker computes the SHA1 hash of the victim\u0026rsquo;s email address offline.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the computed SHA1 hash as the password reset token in a crafted request to the password reset confirmation endpoint.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS instance validates the attacker-supplied token against the SHA1 hash of the email.\u003c/li\u003e\n\u003cli\u003eThe attacker sets a new password for the victim\u0026rsquo;s account and gains full access to the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33707 allows an attacker to take complete control of user accounts within the Chamilo LMS platform. This can lead to data breaches, modification of course content, disruption of educational activities, and potential reputational damage for the affected institution. The lack of rate limiting on password reset requests can allow for automated account takeover attempts affecting many users. Given the widespread use of Chamilo LMS in educational institutions and organizations globally, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 to remediate CVE-2026-33707.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on password reset requests to mitigate automated attacks attempting to exploit this vulnerability (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect attempts to exploit this vulnerability by monitoring password reset requests (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious password reset requests originating from unusual IPs or with unusually high frequency (reference: rules logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-lms-weak-password-reset/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to a weak password reset mechanism, allowing attackers to compute password reset tokens using only a user's email address due to the use of SHA1 hashing without randomization, expiration, or rate limiting, leading to unauthorized account takeover.","title":"Chamilo LMS Weak Password Reset Vulnerability (CVE-2026-33707)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-lms-weak-password-reset/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-33707","version":"https://jsonfeed.org/version/1.1"}