Critical Vulnerability CVE-2026-33707 in Chamilo LMS Allows Account Takeover

Severity: High (Score: 70.5)

Sources: www.thehackerwire.com, infosec.exchange, Feedly

Summary

CVE-2026-33707 is a critical vulnerability affecting Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The flaw arises from a weak password reset mechanism that generates predictable tokens using sha1($email) without randomization, expiration, or rate limiting. An unauthenticated attacker can exploit this vulnerability by knowing a user's email, allowing them to compute the reset token and take over user accounts. The impact includes unauthorized access to sensitive learning data, course content modification, and user impersonation. Although patches are available for the affected versions, there is currently no evidence of exploitation in the wild or public proof-of-concept. Organizations are advised to upgrade their Chamilo LMS installations immediately and monitor account access logs for suspicious activities. The CVSS base score assigned to this vulnerability is 9.4, indicating a high severity level. Key Points: • CVE-2026-33707 allows unauthenticated account takeover in Chamilo LMS due to weak password reset tokens. • Affected versions are prior to 1.11.38 and 2.0.0-RC.3; patches are available. • No evidence of exploitation in the wild has been reported as of now.

Key Entities

• Data Breach (attack_type)
• CVE-2026-33707 (cve)
• Chamilo LMS (platform)