Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.
AnalysisAI
Totara LMS versions up to 19.1.5 allow unauthenticated remote attackers to conduct email bombing attacks by abusing the forgot password API endpoint, which lacks rate limiting on target email addresses. With a CVSS score of 9.8, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Despite the critical score, EPSS estimates only 0.02% exploitation probability (5th percentile), and no active exploitation is confirmed (not in CISA KEV). A public proof-of-concept exists on GitHub, demonstrating the abuse technique.
Technical ContextAI
This vulnerability affects Totara LMS, an enterprise learning management system. The root cause is CWE-770: Allocation of Resources Without Limits or Throttling. The forgot password functionality typically sends password reset emails to user-supplied addresses. Without rate limiting or CAPTCHA protection on the recipient email parameter, attackers can abuse this API endpoint as an email relay. By repeatedly invoking the endpoint with a victim's email address, attackers force the LMS to send numerous unsolicited emails, overwhelming the victim's inbox. This is a common oversight in authentication flows where rate limits are applied to requestor IPs but not to the target resource (the email address receiving notifications). The CVSS vector indicates network-based exploitation requiring no authentication, no user interaction, and low attack complexity.
RemediationAI
Organizations should upgrade Totara LMS to the latest patched version addressing this vulnerability. Consult the official Totara vendor advisory at https://totara.com/ for the specific fixed release version and upgrade procedures. If immediate patching is not feasible, implement compensating controls such as web application firewall rules to enforce rate limiting on the forgot password endpoint (limit requests per source IP and per target email address within sliding time windows), deploy CAPTCHA or challenge-response mechanisms on the password reset form, or restrict access to the forgot password API to authenticated sessions only if business logic permits. Monitor application logs for abnormal volumes of password reset requests targeting the same email addresses as an indicator of abuse. The GitHub repository at https://github.com/saykino/CVE-2026-31283 contains proof-of-concept code that can be used for validation testing after applying patches.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21931
GHSA-h2c3-7q37-gjwp