{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31282", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T16:32:43.823Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T14:14:10.963Z"}, "descriptions": [{"lang": "en", "value": "Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.totara.com/"}, {"url": "https://github.com/saykino/CVE-2026-31282"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:42:38.560739Z", "id": "CVE-2026-31282", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:32:43.823Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31282", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:42:38.560739Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:43:00.720Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.totara.com/"}, {"url": "https://github.com/saykino/CVE-2026-31282"}], "descriptions": [{"lang": "en", "value": "Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T14:14:10.963Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31282", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:32:43.823Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack."}], "id": "CVE-2026-31282", "lastModified": "2026-04-14T17:16:50.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T15:17:33.100", "references": [{"source": "cve@mitre.org", "url": "https://github.com/saykino/CVE-2026-31282"}, {"source": "cve@mitre.org", "url": "https://www.totara.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,19.1.5]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "lms", "vendor": "totara"}], "analysis": {"en": {"generated_at": "2026-04-14T20:12:12.768380+00:00", "value": {"mitigation_remediation": ["Upgrade Totara LMS to a patched version that resolves the incorrect access control issue", "If upgrading is not immediately possible, apply a restrictive access control or rate\u2011limit policy to the login endpoint to mitigate brute\u2011force attempts", "Monitor authentication logs for repeated failed login attempts and investigate suspicious activity", "Ensure the login page is not exposed to the public internet without appropriate controls", "Review the Totara support portal for further guidance and temporary mitigations"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Account Access via Brute\u2011Force Login"}, "threat_synthesis": {"affected_systems": "Totara Learning Management System versions 19.1.5 and earlier are affected. The vulnerability has been identified in the official deployments of Totara LMS and could affect organizations running those releases.", "description_and_impact": "The vulnerability arises from an incorrect access control on the login page of Totara LMS, allowing an attacker to manipulate the code to expose the login interface. Combined with a missing rate\u2011limit on the login form, this permits the attacker to launch a brute\u2011force attack to discover valid credentials. The impact is that an unauthorized user can gain access to accounts, compromising confidentiality, integrity, and the ability to perform actions within the LMS (e.g., accessing course content, modifying data). The weakness corresponds to CWE\u2011284 and CWE\u2011307.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity. The EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present, but the vulnerability remains a high\u2011risk target for attackers. The issue is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via an unprotected web interface that can be accessed over the network. An attacker would only need to identify the vulnerable login endpoint and start a brute\u2011force campaign, which the lack of rate limiting would allow to proceed with minimal delay."}}}}, "created": "2026-04-14T16:22:08.772335+00:00", "updated": "2026-04-15T15:45:07.541133+00:00", "vendors": ["totara", "totara$PRODUCT$lms"]}