Chamilo Authorization Bypass Through User-Controlled Key Vulnerability - CVE-2026-33702

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3 Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from _REQUEST and uses it to load and modify another user39s Learning Path progress including score status completion and time without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user39s Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.