CVE-2026-29041
📋 TL;DR
This vulnerability allows authenticated low-privileged users in Chamilo LMS to upload malicious files and execute arbitrary code on the server. The system fails to properly validate file extensions and storage locations, relying only on MIME-type checks. All Chamilo installations prior to version 1.11.34 are affected.
💻 Affected Systems
- Chamilo LMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, lateral movement, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized access to sensitive student/teacher data, grade manipulation, or installation of web shells for ongoing access.
If Mitigated
Limited impact with proper file upload restrictions, but still potential for privilege escalation if other vulnerabilities exist.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an account is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.34
Vendor Advisory: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4pc3-4w2v-vwx8
Restart Required: No
Instructions:
1. Backup your Chamilo installation and database. 2. Download version 1.11.34 from the official repository. 3. Replace existing files with patched version. 4. Run the database upgrade script if needed. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict File Upload Extensions
allConfigure web server to block upload of executable file types
# In Apache .htaccess:
<FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7|php8|pl|cgi|exe|dll|bat|cmd|sh|bash|py|rb|js|jsp|asp|aspx)">
Order Allow,Deny
Deny from all
</FilesMatch>
# In Nginx config:
location ~* \.(php|phtml|phar|php3|php4|php5|php7|php8|pl|cgi|exe|dll|bat|cmd|sh|bash|py|rb|js|jsp|asp|aspx)$ {
deny all;
}
Implement File Upload Quarantine
linuxStore uploaded files outside web root with strict permissions
# Move upload directory outside web root
mkdir -p /var/chamilo_uploads
chown www-data:www-data /var/chamilo_uploads
chmod 750 /var/chamilo_uploads
🧯 If You Can't Patch
- Implement strict file upload validation at application level
- Restrict user account creation and monitor for suspicious upload activity
🔍 How to Verify
Check if Vulnerable:
Check Chamilo version in admin panel or by examining main/inc/conf/configuration.php for version numberCheck Version:
grep -r "chamilo_version" main/inc/conf/configuration.php 2>/dev/null || echo "Check admin panel for version"Verify Fix Applied:
Verify version is 1.11.34 or later and test file upload functionality with restricted extensions📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with executable extensions
- Multiple failed upload attempts followed by successful upload
- User accounts uploading files shortly after creation
Network Indicators:
- HTTP POST requests to upload endpoints with unusual file types
- Subsequent requests to uploaded files in unusual locations
SIEM Query:
source="web_server" (method="POST" AND uri="*upload*" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh"))