CVE-2026-31282
Incorrect Access Control in Totara LMS Enables Brute Force Attack
Publication date: 2026-04-13
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totara | totara_lms | to 19.1.5 (exc) |
| totara | totara_lms | to 19.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Totara LMS versions up to 19.1.5 allows attackers to bypass authentication controls and perform brute force attacks to obtain user credentials. This unauthorized access risk can lead to exposure of personal and sensitive data stored within the system.
Such exposure and unauthorized access could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and implementation of adequate access controls to prevent data breaches.
Therefore, failure to mitigate this vulnerability may result in non-compliance with these regulations due to insufficient access control and potential data compromise.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication controls and gain unauthorized access to the Totara LMS system.
Because the login form lacks rate-limiting, attackers can perform brute force attacks to guess user credentials remotely, potentially compromising user accounts and sensitive information.
Can you explain this vulnerability to me?
CVE-2026-31282 is a critical security vulnerability in Totara LMS versions up to and including 19.1.5. It involves incorrect access control in the login page code, which can be manipulated to reveal the login form and bypass the Octa login mechanism. This flaw allows an attacker to circumvent authentication controls.
Additionally, the login form lacks rate-limiting protections, enabling an attacker to perform brute force attacks to obtain user credentials remotely and without authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining the behavior of the Totara LMS login page to see if it reveals the login form in a way that bypasses normal access controls. Additionally, monitoring for absence of rate-limiting on login attempts can indicate susceptibility to brute force attacks.
Specific commands are not provided in the available resources, but detection could involve testing the login page manually or with automated tools to check if the login form can be manipulated to bypass authentication and if multiple rapid login attempts are allowed without restriction.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing server-side validation for the login form instead of relying solely on client-side checks.
Additionally, adding rate-limiting controls on the login form to prevent brute force attacks is essential.
Upgrading Totara LMS to a version later than 19.1.5, where this vulnerability has been fixed, is also recommended.