Unrated severityNVD Advisory· Published Mar 2, 2026· Updated Mar 2, 2026

Chamilo: Potential unauthenticated blind SSRF via openid function

CVE-2024-50337

Description

Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. This issue has been patched in version 1.11.28.

Affected products

Chamilo/Chamilo Lmsv5
Range: < 1.11.28

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/chamilo/chamilo-lms/commit/43a9bd1fb8b3f57e7935a6a6bc48975e2063b01bmitrex_refsource_MISC
github.com/chamilo/chamilo-lms/releases/tag/v1.11.28mitrex_refsource_MISC
github.com/chamilo/chamilo-lms/security/advisories/GHSA-rp2w-g734-jf8hmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000