Skip to main content

EUVDEUVD-2026-21931

| CVE-2026-31283 CRITICAL
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-13 mitre GHSA-h2c3-7q37-gjwp
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:26 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 13, 2026 - 14:45 euvd
EUVD-2026-21931
Analysis Generated
Apr 13, 2026 - 14:45 vuln.today
CVE Published
Apr 13, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.

AnalysisAI

Totara LMS versions up to 19.1.5 allow unauthenticated remote attackers to conduct email bombing attacks by abusing the forgot password API endpoint, which lacks rate limiting on target email addresses. With a CVSS score of 9.8, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Despite the critical score, EPSS estimates only 0.02% exploitation probability (5th percentile), and no active exploitation is confirmed (not in CISA KEV). A public proof-of-concept exists on GitHub, demonstrating the abuse technique.

Technical ContextAI

This vulnerability affects Totara LMS, an enterprise learning management system. The root cause is CWE-770: Allocation of Resources Without Limits or Throttling. The forgot password functionality typically sends password reset emails to user-supplied addresses. Without rate limiting or CAPTCHA protection on the recipient email parameter, attackers can abuse this API endpoint as an email relay. By repeatedly invoking the endpoint with a victim's email address, attackers force the LMS to send numerous unsolicited emails, overwhelming the victim's inbox. This is a common oversight in authentication flows where rate limits are applied to requestor IPs but not to the target resource (the email address receiving notifications). The CVSS vector indicates network-based exploitation requiring no authentication, no user interaction, and low attack complexity.

RemediationAI

Organizations should upgrade Totara LMS to the latest patched version addressing this vulnerability. Consult the official Totara vendor advisory at https://totara.com/ for the specific fixed release version and upgrade procedures. If immediate patching is not feasible, implement compensating controls such as web application firewall rules to enforce rate limiting on the forgot password endpoint (limit requests per source IP and per target email address within sliding time windows), deploy CAPTCHA or challenge-response mechanisms on the password reset form, or restrict access to the forgot password API to authenticated sessions only if business logic permits. Monitor application logs for abnormal volumes of password reset requests targeting the same email addresses as an indicator of abuse. The GitHub repository at https://github.com/saykino/CVE-2026-31283 contains proof-of-concept code that can be used for validation testing after applying patches.

Share

EUVD-2026-21931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy