CVE-2026-31282 | THREATINT

Description

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-13 | Updated 2026-05-06 | Assigner mitre

References

www.totara.com/

github.com/saykino/CVE-2026-31282

cve.org (CVE-2026-31282)

nvd.nist.gov (CVE-2026-31282)

Download JSON