CVE-2026-31282
Deferred Deferred - Pending Action
Incorrect Access Control in Totara LMS Enables Brute Force Attack

Publication date: 2026-04-13

Last updated on: 2026-05-06

Assigner: MITRE

Description
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31282
EUVD
EUVD-2026-21930
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
totara totara_lms to 19.1.5 (exc)
totara totara_lms to 19.1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to bypass authentication controls and gain unauthorized access to the Totara LMS system.

Because the login form lacks rate-limiting, attackers can perform brute force attacks to guess user credentials remotely, potentially compromising user accounts and sensitive information.

Executive Summary

CVE-2026-31282 is a critical security vulnerability in Totara LMS versions up to and including 19.1.5. It involves incorrect access control in the login page code, which can be manipulated to reveal the login form and bypass the Octa login mechanism. This flaw allows an attacker to circumvent authentication controls.

Additionally, the login form lacks rate-limiting protections, enabling an attacker to perform brute force attacks to obtain user credentials remotely and without authentication.

Detection Guidance

This vulnerability can be detected by examining the behavior of the Totara LMS login page to see if it reveals the login form in a way that bypasses normal access controls. Additionally, monitoring for absence of rate-limiting on login attempts can indicate susceptibility to brute force attacks.

Specific commands are not provided in the available resources, but detection could involve testing the login page manually or with automated tools to check if the login form can be manipulated to bypass authentication and if multiple rapid login attempts are allowed without restriction.

Mitigation Strategies

Immediate mitigation steps include implementing server-side validation for the login form instead of relying solely on client-side checks.

Additionally, adding rate-limiting controls on the login form to prevent brute force attacks is essential.

Upgrading Totara LMS to a version later than 19.1.5, where this vulnerability has been fixed, is also recommended.

Compliance Impact

The vulnerability in Totara LMS versions up to 19.1.5 allows attackers to bypass authentication controls and perform brute force attacks to obtain user credentials. This unauthorized access risk can lead to exposure of personal and sensitive data stored within the system.

Such exposure and unauthorized access could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and implementation of adequate access controls to prevent data breaches.

Therefore, failure to mitigate this vulnerability may result in non-compliance with these regulations due to insufficient access control and potential data compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart