CVE-2026-3110 Educativa CVE debrief

Who should care

Educational institutions deploying Campus Educativa software; security teams responsible for student information systems; privacy officers managing GDPR or FERPA compliance for educational records; incident response teams monitoring for bulk PII exfiltration patterns.

Technical summary

The vulnerability exists in the `/administracion/admin_usuarios.cgi` endpoint where the `wid_cursoActual` parameter accepts arbitrary course identifiers without session-based authorization validation. The endpoint exports XLSX files containing PII of enrolled users. An attacker can iterate through sequential or predictable course ID values to harvest data across the entire user base. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) reflects network accessibility, low attack complexity, no required privileges, and high confidentiality impact with no integrity or availability impact.

Defensive priority

HIGH

Recommended defensive actions

• Implement strict authorization checks on the /administracion/admin_usuarios.cgi endpoint to verify the requesting user has legitimate access to the specified course ID
• Replace predictable sequential course IDs with non-enumerable identifiers (UUIDs) to prevent brute-force attacks
• Add rate limiting and anomaly detection for repeated requests to the export endpoint with varying ID parameters
• Review and audit all similar export endpoints in the application for equivalent IDOR vulnerabilities
• Ensure access logs capture client IP, user session, and requested course ID for forensic analysis

Evidence notes

Vulnerability description sourced from NVD record with INCIBE-CERT advisory as primary reference. CVSS 4.0 vector confirms network attack vector with no privileges required. Vendor identification marked as low confidence due to 'Unknown Vendor' classification in source data; 'Campus Educativa' appears to be the product name with INCIBE as the coordinating authority.

Official resources