VYPR
← All advisories
Medium severityNVD Advisory· Published Mar 16, 2026· Updated May 19, 2026

CVE-2026-3111

CVE-2026-3111

Description

Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa specifically at the endpoint '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg' (translated as 80x90 and 40x45). Successful exploitation of this vulnerability could allow an unauthenticated attacker to access the profile photos of all users via a manipulated URL, enabling them to collect user photos en masse. This could lead to these photos being used maliciously to impersonate identities, perform social engineering, link identities across platforms using facial recognition, or even carry out doxxing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An IDOR in Campus Educativa lets unauthenticated attackers access all user profile photos by manipulating the URL, enabling mass collection and potential misuse.

Vulnerability

Overview CVE-2026-3111 is an Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa, specifically at the endpoint /archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg (including 80x90 and 40x45 thumbnail sizes). The lack of proper access controls allows an attacker to enumerate user IDs and usernames, directly retrieving profile photos of all users [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by simply manipulating the URL parameters—changing the numeric ID and username—to access any user's profile photo. No authentication or special privileges are required. The attacker can systematically iterate over ID/username combinations to collect photos en masse [1].

Impact

Successful exploitation enables the attacker to harvest profile photos of all users. These photos could be used for malicious activities such as impersonating identities, performing social engineering attacks, linking identities across platforms using facial recognition, or doxxing individuals [1].

Mitigation

The vulnerability has been fixed by the Educativa team in version 14.05.00-159 and later. Users are advised to update to the latest version to remediate the issue [1].

References
  1. Multiple vulnerabilities on the Educativa Campus

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.