CVE-2026-34160 | Chamilo LMS up to 2.0-RC.2 Exchange Notification Service pens.php package-url missing authentication (GHSA-g2xj-4cch-j276)
VulDBArchived Apr 15, 2026✓ Full text saved
A vulnerability labeled as critical has been found in Chamilo LMS up to 2.0-RC.2 . The impacted element is an unknown function of the file public/plugin/Pens/pens.php of the component Exchange Notification Service . Such manipulation of the argument package-url leads to missing authentication. This vulnerability is traded as CVE-2026-34160 . The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-357585 · CVE-2026-34160 · GHSA-G2XJ-4CCH-J276
CHAMILO LMS UP TO 2.0-RC.2 EXCHANGE NOTIFICATION SERVICE PENS.PHP PACKAGE-URL MISSING AUTHENTICATION
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
6.8 $0-$5k 1.70+
Summaryinfo
A vulnerability marked as critical has been reported in Chamilo LMS up to 2.0-RC.2. This affects an unknown function of the file public/plugin/Pens/pens.php of the component Exchange Notification Service. Performing a manipulation of the argument package-url results in missing authentication. This vulnerability is known as CVE-2026-34160. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.
Detailsinfo
A vulnerability was found in Chamilo LMS up to 2.0-RC.2. It has been classified as critical. This affects an unknown code of the file public/plugin/Pens/pens.php of the component Exchange Notification Service. The manipulation of the argument package-url with an unknown input leads to a missing authentication vulnerability. CWE is classifying the issue as CWE-306. The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. This is going to have an impact on confidentiality. The summary by CVE is:
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.
The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-34160 since 03/25/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are known, but no exploit is available.
By approaching the search of inurl:public/plugin/Pens/pens.php it is possible to find vulnerable targets with Google Hacking.
Upgrading to version 2.0-RC.3 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch de4058d76fac2413afd023b1ec942e8e79579011 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Productinfo
Type
Content Management System
Vendor
Chamilo
Name
LMS
Version
2.0-RC.0
2.0-RC.1
2.0-RC.2
License
open-source
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3info
VulDB Meta Base Score: 6.9
VulDB Meta Temp Score: 6.8
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 8.6
CNA Vector (GitHub_M): 🔒
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Missing authentication
CWE: CWE-306 / CWE-287
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Google Hack: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: LMS 2.0-RC.3
Patch: de4058d76fac2413afd023b1ec942e8e79579011
Timelineinfo
03/25/2026 CVE reserved
04/14/2026 +19 days Advisory disclosed
04/14/2026 +0 days VulDB entry created
04/14/2026 +0 days VulDB entry last update
Sourcesinfo
Advisory: GHSA-g2xj-4cch-j276
Status: Confirmed
CVE: CVE-2026-34160 (🔒)
GCVE (CVE): GCVE-0-2026-34160
GCVE (VulDB): GCVE-100-357585
Entryinfo
Created: 04/14/2026 23:53
Changes: 04/14/2026 23:53 (71)
Complete: 🔍
Cache ID: 99:5A7:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸