CVE-2026-1106 – This vulnerability in Chamilo LMS allows attack... (How to Fix)

Q: What is the severity of CVE-2026-1106?

CVE-2026-1106 has a CVSS score of 5.4 (MEDIUM). This vulnerability in Chamilo LMS allows attackers to manipulate the userId parameter in the deleteLegal function, leading to improper authorization. Attackers can exploit this remotely to delete legal consent records without proper permissions. All Chamilo LMS installations up to version 2.0.0 Beta 1 are affected.

📋 TL;DR

This vulnerability in Chamilo LMS allows attackers to manipulate the userId parameter in the deleteLegal function, leading to improper authorization. Attackers can exploit this remotely to delete legal consent records without proper permissions. All Chamilo LMS installations up to version 2.0.0 Beta 1 are affected.

💻 Affected Systems

Products:

Chamilo LMS

Versions: Up to 2.0.0 Beta 1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Legal Consent Handler component in SocialController.php

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete legal consent records for any user, potentially violating data protection regulations and compromising user privacy controls.

🟠

Likely Case

Unauthorized deletion of legal consent records, disrupting compliance tracking and user preference management.

🟢

If Mitigated

Limited impact with proper access controls and monitoring in place, though authorization bypass remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit has been publicly released and requires some authentication but bypasses authorization checks

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version beyond 2.0.0 Beta 1 if available, or apply manual code fixes.

🔧 Temporary Workarounds

Disable Legal Consent Handler

all

Temporarily disable the vulnerable Legal Consent Handler component

# Modify src/CoreBundle/Controller/SocialController.php to comment out or remove deleteLegal function

Implement Input Validation

all

Add proper authorization checks before processing userId parameter

# Add session validation and user permission checks in deleteLegal function

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious userId parameter manipulation
Restrict network access to Chamilo LMS to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check Chamilo LMS version. If version is 2.0.0 Beta 1 or earlier, system is vulnerable.

Check Version:

Check Chamilo configuration files or admin panel for version information

Verify Fix Applied:

Test deleteLegal function with unauthorized userId parameter to ensure proper authorization checks are in place.

📡 Detection & Monitoring

Log Indicators:

Multiple deleteLegal requests with different userId parameters from same source
Unauthorized access attempts to legal consent functions

Network Indicators:

HTTP POST requests to SocialController.php with manipulated userId parameters

SIEM Query:

source="web_server" AND uri="*SocialController*" AND (method="POST" OR params CONTAINS "userId")

📊 Metadata

CVE ID: CVE-2026-1106

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-266

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: January 18, 2026

Last Updated: February 27, 2026

🔗 References

https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj Third Party Advisory
https://vuldb.com/?ctiid.341698 Permissions Required,VDB Entry
https://vuldb.com/?id.341698 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.731510 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1106, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Chamilo Lms by Chamilo

Chamilo Lms by Chamilo

Chamilo Lms by Chamilo

Chamilo Lms by Chamilo

Chamilo Lms by Chamilo

Chamilo Lms by Chamilo

Chamilo Lms by Chamilo

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Legal Consent Handler

Implement Input Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities