Chamilo Authorization Bypass Through User-Controlled Key Vulnerability - CVE-2026-33141

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3 an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user39s learning progress certificates and gradebook scores for any course without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.