CVE-2026-32892: Chamilo LMS RCE

Overview

A critical command injection vulnerability, CVE-2026-32892, affects Chamilo LMS. The flaw resides in the move() function within fileManage.lib.php. This function uses the exec() shell command to move files but fails to properly sanitize user-supplied path parameters, allowing an attacker to inject and execute arbitrary operating system commands.

Affected Versions

All Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable. Users of the 1.11.x branch or the 2.0.0 release candidate must take immediate action.

Vulnerability Details

The vulnerability is triggered when a user moves a document. The move_to POST parameter from document.php is passed through only an HTML filter (Security::remove_XSS()) before being directly concatenated into a shell command like exec("mv $source $target"). Because the filter does not escape shell metacharacters, an attacker can break out of the intended command.

Exploitation requires an authenticated user with teacher privileges in a course. By default, Chamilo allows users to create courses (allow_users_to_create_courses = true), making this privilege level widely accessible. An attacker can first create a directory with a malicious name (achievable via the Course Backup Import feature) and then trigger the move operation to that directory, resulting in command execution with the privileges of the web server process (typically www-data).

Impact

Successful exploitation grants an attacker the ability to execute arbitrary commands on the underlying server. This can lead to a complete compromise of the Chamilo instance, including data theft, installation of malware, or use of the server as a pivot point into the network. The high CVSS score of 9.1 reflects the low attack complexity and high impact of remote code execution.

Remediation and Mitigation

The primary and mandatory action is to upgrade your Chamilo LMS installation.

• Upgrade to version 1.11.38 or later for the 1.11.x branch.
• Upgrade to version 2.0.0-RC.3 or later for the 2.0.0 release candidate line.

If immediate patching is impossible, consider these temporary mitigations:

• Set the configuration option allow_users_to_create_courses to false in the configuration.php file. This restricts the pool of potential attackers by preventing standard users from obtaining the necessary teacher role.
• Ensure the web server process (www-data) runs with the most restrictive system privileges possible.
• Monitor server logs for unusual system command execution or file operations originating from the Chamilo application directory.

For more information on recent threats, you can review security news.

Security Insight

This vulnerability underscores the persistent risk of improper input sanitization when interfacing with system shells, a classic flaw that continues to appear in modern applications. The fact that a simple HTML filter was deemed sufficient for a shell command parameter points to a critical gap in the project’s secure development lifecycle. It mirrors past incidents in other platforms where input validation was applied for the wrong context (like web output) but not for the actual consumption layer (the OS shell), leading to severe breaches.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs