CVE-2026-33707

CVE-2026-33707 affects Chamilo LMS, an open-source learning management system, in versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability lies in the default password reset mechanism, which generates reset tokens using a deterministic SHA1 hash of the user's email address (sha1($email)) without any random component, expiration time, or rate limiting. This makes the tokens fully predictable for anyone who knows the target email, enabling unauthorized password changes. The issue is classified under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) with a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating critical severity due to high impacts on confidentiality and integrity.

Any unauthenticated attacker with knowledge of a victim's email address—which is often publicly exposed or guessable—can exploit this over the network with low complexity and no user interaction required. By computing the exact reset token, the attacker can initiate a password reset request and immediately use the token to set a new password for the victim account, gaining full unauthorized access to the user's profile, courses, and potentially administrative functions depending on the victim's privileges.

The vulnerability is addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3 through commits that improve token generation with randomness, expiration, and rate limiting, as detailed in the GitHub security advisory (GHSA-f27g-66gq-g7v2) and specific patches (commits 078d7e5b77679fa7ccfcd6783bd5cc683db0bda8 and 750a45312a0d5c3ad60dbfbd0d959ca40be4a18c). Security practitioners should upgrade affected instances immediately and review email exposure in their deployments.