CVE-2026-31283

Critical

Published: 13 April 2026

Published

13 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31283 is a critical-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Totara LMS (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Bombing (T1667); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Email Bombing (T1667). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

Directly requires denial-of-service protections such as rate limiting on the forgot password API endpoint to prevent email bombing attacks.

SC-6 Resource Availability good match

prevent

Ensures resource availability by implementing mechanisms to monitor and limit excessive password reset email generation requests per target email address.

SI-9 Information Input Restrictions partial match

prevent

Restricts the amount and frequency of information inputs to the forgot password API, mitigating unbounded requests tied to specific email addresses.

MITRE ATT&CK Enterprise TechniquesAI

T1667 Email Bombing Impact

Adversaries may flood targeted email addresses with an overwhelming volume of messages.

attack.mitre.org →

Why these techniques?

Vulnerability description explicitly enables email bombing via unlimited forgot-password requests (CWE-770) that flood a target's inbox, matching T1667 directly.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to…

30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.

Deeper analysisAI

CVE-2026-31283 affects Totara LMS versions v19.1.5 and earlier, specifically in the forgot password API endpoint. The vulnerability stems from a lack of rate limiting tied to the target email address, enabling an email bombing attack where repeated requests can flood a user's inbox with password reset emails. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Any remote, unauthenticated attacker can exploit this vulnerability without user interaction by submitting multiple forgot password requests for a targeted email address. Successful exploitation allows the attacker to overwhelm the victim's email account with a high volume of password reset notifications, potentially disrupting service and causing denial-of-service effects on the user's email access or related workflows.

The supplier maintains that no additional mitigation is required, citing a default pwresettime configuration of 30 minutes enforced by the PWRESET_STATUS_ALREADYSENT flag, which prevents further password reset emails for a specific email address while the flag is active. Additional details are available in the GitHub advisory at https://github.com/saykino/CVE-2026-31283 and Totara's site at https://totara.com/.