{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31283", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T07:32:30.441Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T07:32:30.441Z"}, "descriptions": [{"lang": "en", "value": "In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://totara.com/"}, {"url": "https://github.com/saykino/CVE-2026-31283"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "tags": ["disputed"]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:40:54.096682Z", "id": "CVE-2026-31283", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:32:37.891Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31283", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:40:54.096682Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:41:49.753Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://totara.com/"}, {"url": "https://github.com/saykino/CVE-2026-31283"}], "descriptions": [{"lang": "en", "value": "In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T07:32:30.441Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31283", "state": "PUBLISHED", "dateUpdated": "2026-04-24T07:32:30.441Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address."}], "id": "CVE-2026-31283", "lastModified": "2026-04-24T08:16:29.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T15:17:33.220", "references": [{"source": "cve@mitre.org", "url": "https://github.com/saykino/CVE-2026-31283"}, {"source": "cve@mitre.org", "url": "https://totara.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,19.1.5]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "lms", "vendor": "totara"}], "analysis": {"en": {"generated_at": "2026-04-29T01:56:48.602168+00:00", "value": {"mitigation_remediation": ["Apply an official Totara LMS patch that implements rate limiting on the forgot password endpoint; upgrades newer than 19.1.5 are recommended.", "If an immediate upgrade is not possible, place external rate\u2011limiting or firewall rules on the forgot password URL to constrain the number of requests per address within a given time frame.", "Continuously monitor request logs for spikes in the forgot password endpoint and deploy automated alerts or temporary blocks against abusive traffic."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Email Bombing"}, "threat_synthesis": {"affected_systems": "Totara Learning Management System versions 19.1.5 and earlier are affected; no other vendor or product variants are listed.", "description_and_impact": "The flaw resides in the forgot password API of Totara Learning Management System (LMS) releases 19.1.5 and earlier, where no rate limiting is applied to the target email address. An attacker can trigger an arbitrary number of password\u2011reset emails to a chosen account, overwhelming the mailbox and disrupting legitimate use. The vendor states that the pwresettime configuration defaults to 30\u202fminutes and that a hard\u2011control flag (\"PWRESET_STATUS_ALREADYSENT\") blocks additional reset emails once it is active for a specific address, yet documented behavior still permits rapid successive requests before the flag is set.", "risk_and_exploitability": "The CVSS base score of 9.8 indicates a very high severity, and the EPSS score of less than 1\u202f% suggests the current exploitation likelihood is low. This vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is the publicly exposed, unauthenticated API endpoint that accepts any email address; an attacker can directly target any account without prior credentials."}}}}, "created": "2026-04-14T16:22:07.699689+00:00", "title": "Unrestricted Password Reset Causing Email Bombing in Totara LMS", "updated": "2026-04-29T02:00:27.273563+00:00", "vendors": ["totara", "totara$PRODUCT$lms"]}