{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33710/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33710"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33710","chamilo","api-key","brute-force","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a popular learning management system, contains a vulnerability in versions prior to 1.11.38 and 2.0.0-RC.3 related to the generation of REST API keys (CVE-2026-33710). The API keys are generated using a flawed algorithm: \u003ccode\u003emd5(time() + (user_id * 5) - rand(10000, 10000))\u003c/code\u003e. Due to \u003ccode\u003erand(10000, 10000)\u003c/code\u003e always returning 10000, the formula simplifies to \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e. An attacker knowing a valid username and a rough estimate of when the API key was generated can brute-force the key due to the limited entropy. This vulnerability allows unauthorized access to the Chamilo LMS REST API. The vulnerability was reported and patched in versions 1.11.38 and 2.0.0-RC.3. This poses a significant threat to educational institutions and organizations using vulnerable versions of Chamilo LMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target Chamilo LMS instance running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).\u003c/li\u003e\n\u003cli\u003eAttacker obtains a valid username on the target Chamilo LMS instance through OSINT or credential stuffing.\u003c/li\u003e\n\u003cli\u003eAttacker estimates the API key creation time. This might be inferred from user activity or system logs.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a script to generate potential API keys based on the predictable formula \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e using the known username and estimated timestamp.\u003c/li\u003e\n\u003cli\u003eThe script iterates through a range of timestamps around the estimated creation time, generating corresponding MD5 hashes.\u003c/li\u003e\n\u003cli\u003eAttacker sends API requests with the generated API keys to the Chamilo LMS server.\u003c/li\u003e\n\u003cli\u003eThe server validates the API key against the user.\u003c/li\u003e\n\u003cli\u003eUpon successful validation, the attacker gains unauthorized access to the Chamilo LMS REST API, potentially allowing them to modify course content, access user data, or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33710 can lead to unauthorized access to sensitive data within the Chamilo LMS, including user information, course materials, and grades. This could result in data breaches, academic fraud, and reputational damage for affected organizations. The vulnerability affects all organizations running vulnerable versions of Chamilo LMS; the number of victims is correlated to the number of vulnerable deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-33710.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests originating from unexpected IP addresses, especially those containing potentially valid API keys by deploying the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate brute-force attempts.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider temporarily disabling the REST API.\u003c/li\u003e\n\u003cli\u003eReview and audit user permissions within Chamilo LMS to minimize the impact of potential unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-api-key-bruteforce/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 generate predictable REST API keys, allowing attackers with knowledge of a username and approximate key creation time to brute-force access.","title":"Chamilo LMS REST API Key Brute-Force Vulnerability (CVE-2026-33710)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-api-key-bruteforce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33710","version":"https://jsonfeed.org/version/1.1"}