Cyber Resilience

CVE-2026-31283

CriticalDDoS

Published: 13 April 2026

Published
13 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31283 is a critical-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Totara LMS (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Bombing (T1667); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-31283 affects Totara LMS versions v19.1.5 and earlier, specifically in the forgot password API endpoint. The vulnerability stems from a lack of rate limiting tied to the target email address, enabling an email bombing attack where repeated requests can flood a user's inbox with password reset emails. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Any remote, unauthenticated attacker can exploit this vulnerability without user interaction by submitting multiple forgot password requests for a targeted email address. Successful exploitation allows the attacker to overwhelm the victim's email account with a high volume of password reset notifications, potentially disrupting service and causing denial-of-service effects on the user's email access or related workflows.

The supplier maintains that no additional mitigation is required, citing a default pwresettime configuration of 30 minutes enforced by the PWRESET_STATUS_ALREADYSENT flag, which prevents further password reset emails for a specific email address while the flag is active. Additional details are available in the GitHub advisory at https://github.com/saykino/CVE-2026-31283 and Totara's site at https://totara.com/.

EU & UK References

Vulnerability details

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to…

more

30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1667 Email Bombing Impact
Adversaries may flood targeted email addresses with an overwhelming volume of messages.
Why these techniques?

Vulnerability description explicitly enables email bombing via unlimited forgot-password requests (CWE-770) that flood a target's inbox, matching T1667 directly.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25043Shared CWE-770
CVE-2021-47877Shared CWE-770
CVE-2021-47784Shared CWE-770
CVE-2021-47793Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2025-1059Shared CWE-770
CVE-2026-29181Shared CWE-770
CVE-2026-35401Shared CWE-770
CVE-2026-23490Shared CWE-770
CVE-2025-13929Shared CWE-770

Affected Assets

Totara
LMS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires denial-of-service protections such as rate limiting on the forgot password API endpoint to prevent email bombing attacks.

prevent

Ensures resource availability by implementing mechanisms to monitor and limit excessive password reset email generation requests per target email address.

prevent

Restricts the amount and frequency of information inputs to the forgot password API, mitigating unbounded requests tied to specific email addresses.

References