CVE-2026-31282
Published: 13 April 2026
Summary
CVE-2026-31282 is a critical-severity Improper Access Control (CWE-284) vulnerability in Totara LMS (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-7 (Unsuccessful Logon Attempts).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly limits the number of unsuccessful logon attempts to prevent brute force attacks on the exposed login form.
Enforces approved access authorizations to block manipulation of the login page code that reveals the login form.
Validates inputs to the login page to mitigate manipulation attempts that expose the login form despite controls.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Totara LMS login page enables manipulation to bypass access controls and exposes form with no rate limiting, directly facilitating remote brute-force password guessing (T1110.001) via exploitation of public-facing web application (T1190).
NVD Description
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force…
more
attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.
Deeper analysisAI
CVE-2026-31282 is an Incorrect Access Control vulnerability (CWE-284) affecting Totara LMS versions v19.1.5 and earlier. The flaw resides in the login page code, which can be manipulated to reveal the login form despite access controls. This issue is compounded by the absence of rate-limiting on the login form, facilitating brute force attacks. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. By manipulating the login page to expose the form and then performing unlimited brute force attempts due to missing rate limits, attackers can guess valid credentials. Successful exploitation could grant unauthorized access to the LMS, potentially leading to high impacts on confidentiality, integrity, and availability.
Mitigation details are available through vendor resources and related publications. Security practitioners should consult the Totara website at https://www.totara.com/ for official advisories or patches, and the GitHub repository at https://github.com/saykino/CVE-2026-31282 for additional technical details or proof-of-concept information. The CVE was published on 2026-04-13T15:17:33.100.
Details
- CWE(s)