CVE-2026-31283
Rate Limiting Bypass in Totara LMS Forgot Password API Enables Email Bombing
Publication date: 2026-04-13
Last updated on: 2026-04-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totara | totara_lms | to 19.1.6 (exc) |
| totara | totara_lms | to 19.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-31283 vulnerability affects the Totara LMS product, specifically versions up to and including 19.1.5. It involves the Forgot Password API, which does not implement rate limiting on requests targeting a specific email address.
Because of this lack of rate limiting, an attacker can repeatedly trigger password reset emails to a victim's email address, resulting in an email bombing attack that can overwhelm the victim's inbox.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to send a large number of password reset emails to a victim's email address without restriction.
The resulting email bombing attack can overwhelm the victim's inbox, potentially causing denial of access to legitimate emails and creating disruption or annoyance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the number of password reset requests sent to the Forgot Password API for a specific email address. An unusually high volume of such requests in a short period may indicate exploitation attempts.
You can use network monitoring tools or log analysis to identify repeated API calls targeting the same email address.
For example, if you have access to web server logs, you can use commands like the following to detect repeated requests:
- grep 'forgot_password' /path/to/access.log | awk -F 'email=' '{print $2}' | cut -d '&' -f1 | sort | uniq -c | sort -nr | head
This command extracts email addresses from the forgot password API requests, counts occurrences, and lists the most frequent targets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Totara LMS's Forgot Password API allows an attacker to perform an email bombing attack by sending numerous password reset emails to a victim's email address. This can lead to potential denial of service or disruption of the victim's email communications.
While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, such an attack could indirectly impact compliance by causing disruption to user communications and potentially exposing the system to abuse that might affect data protection obligations.
Mitigating this vulnerability by implementing rate limiting helps reduce the risk of abuse and supports maintaining compliance with regulations that require reasonable security measures to protect user data and service availability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves implementing rate limiting on the Forgot Password API to restrict the number of password reset requests allowed per email address within a certain time frame.
Additionally, upgrading Totara LMS to a version later than 19.1.5 where this vulnerability is fixed is strongly recommended.
Other general best practices include monitoring for unusual activity related to password reset requests and alerting administrators if suspicious patterns are detected.