Zero Day MonitorZDM

← Back to list

8.6

CVE-2026-34160PATCHED

chamilo · chamilo-lms

Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services

Description

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.

Affected Products

Vendor	Product	Versions
chamilo	chamilo-lms	< 2.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276(x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011(x_refsource_MISC)
https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-34160 | Chamilo LMS up to 2.0-RC.2 Exchange Notification Service pens.php package-url missing authentication (GHSA-g2xj-4cch-j276)

→ No new info (linked only)

CVSS 3.18.6 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.0.0-RC.3

CWECWE-306, CWE-918

PublishedApr 14, 2026

Last enriched5h agov2

Trending Score30

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34370EXP

Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes

CRITICALCVE-2026-34602EXP

Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses

CRITICALCVE-2026-35196EXP

Chamilo LMS has OS Command Injection via export_all_certificates action

CRITICALCVE-2026-33714

Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)

CRITICALCVE-2026-33715

Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Patch Available

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, patchAvailable

Apr 14, 2026

Version History

v2

Last enriched 5h ago

v2Tier C5h ago

Updated severity to CRITICAL, noted that no exploit is available, and specified the fixed version as 2.0.0-RC.3.

severitypatchAvailable

via VulDB

v16h ago

Initial creation