What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through <= 3.3.4.
Explanation of Vulnerability in Simple Terms
02Summary
Academy LMS versions up to 3.3.4 contain an authorization flaw that allows high-privilege users to trigger a denial-of-service condition affecting site availability. The vulnerability requires administrative or elevated account access and does not involve user interaction. A low-level information disclosure may also occur. Update to a version newer than 3.3.4.
What an attacker can do
03Attacker Capabilities
Trigger a denial-of-service condition and read limited sensitive information.
Potential impact on your site
04Site Impact
Site availability may be disrupted by a privileged user; some data may be exposed.
Conditions required to exploit
05Prerequisites
Attacker must have high-privilege account access (admin or equivalent role).
Key dates
06Disclosure timeline
September 22, 2025
CVE published
April 28, 2026
Record updated