Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack.
AnalysisAI
Brute-force authentication bypass in Totara LMS versions 19.1.5 and earlier allows unauthenticated remote attackers to compromise user accounts via credential stuffing. The vulnerability chains login page manipulation with missing rate-limiting controls, enabling automated password guessing attacks. With CVSS 9.8 (critical) severity but only 0.02% EPSS probability (5th percentile), this represents a high-severity design flaw with currently low observed exploitation activity. A proof-of-concept exploit exists on GitHub (saykino/CVE-2026-31282), lowering the barrier for attack automation, though no confirmed active exploitation (CISA KEV) has been reported.
Technical ContextAI
Totara LMS is a learning management system based on Moodle architecture. This vulnerability represents CWE-284 (Improper Access Control) where the application fails to implement defense-in-depth controls on authentication mechanisms. The attack surface consists of two chained weaknesses: first, the login page code can be manipulated to expose the authentication form (suggesting client-side controls or DOM manipulation vulnerabilities), and second, the absence of server-side rate-limiting on login attempts. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is a network-accessible vulnerability with low attack complexity requiring no privileges or user interaction, making it highly automatable. Modern authentication systems should implement multiple controls including CAPTCHA mechanisms, exponential backoff, account lockouts, and IP-based rate limiting to prevent credential stuffing and brute-force attacks. The CPE string indicates incomplete product identification data, though the vulnerability clearly affects Totara LMS products up to version 19.1.5.
RemediationAI
Organizations running Totara LMS should immediately upgrade to a patched version beyond 19.1.5, though specific fixed version details are not provided in available vendor advisories at totara.com. Until patches can be applied, implement compensating controls including web application firewall rules to enforce aggressive rate-limiting on authentication endpoints (recommended: maximum 5 failed attempts per IP per 15-minute window), deploy CAPTCHA or similar challenge-response mechanisms on login forms, implement account lockout policies after repeated failed attempts, enable multi-factor authentication for all user accounts, restrict network access to Totara LMS instances using IP allowlisting where feasible, and monitor authentication logs for brute-force patterns. Review GitHub repository saykino/CVE-2026-31282 for proof-of-concept details to inform detection rule development. Consult VulDB advisory 357168 and official Totara security bulletins for additional mitigation guidance and confirmed patch availability timelines.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21930
GHSA-2969-3f7h-gmhq