Description
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.
Published: 2026-04-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from incorrect access control on Totara LMS’s login page, permitting an attacker to manipulate front‑end code to expose the login form. When combined with the absence of rate limiting on the login endpoint, this flaw enables a brute‑force attack to discover valid credentials. Despite the vendor’s dispute—citing server‑side controls over local login, lack of evidence of SSO bypass, and no ability to perform local login when disabled—the reported behavior indicates that unauthorized users could potentially gain account access, compromising confidentiality and other security properties. The weakness aligns with CWE‑284.

Affected Systems

Totara Learning Management System versions 19.1.5 and earlier are affected. The vulnerability has been identified in the official deployments of Totara LMS and could affect organizations running those releases.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. The EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present, but the vulnerability remains a high‑risk target for attackers. The issue is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via an unprotected web interface that can be accessed over the network. An attacker would only need to identify the vulnerable login endpoint and start a brute‑force campaign, which the lack of rate limiting would allow to proceed with minimal delay.

Generated by OpenCVE AI on May 6, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Totara LMS to a patched version that resolves the incorrect access control issue
  • If upgrading is not immediately possible, apply a restrictive access control or rate‑limit policy to the login endpoint to mitigate brute‑force attempts
  • Monitor authentication logs for repeated failed login attempts and investigate suspicious activity
  • Ensure the login page is not exposed to the public internet without appropriate controls
  • Review the Totara support portal for further guidance and temporary mitigations

Generated by OpenCVE AI on May 6, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Brute-Force Login via Incorrect Access Control in Totara LMS

Wed, 06 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.

Wed, 15 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Brute-Force Login via Incorrect Access Control in Totara LMS

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Totara LMS Brute‑Force Accessible Login Due to Incorrect Access Control
Weaknesses CWE-307

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Totara LMS Brute‑Force Accessible Login Due to Incorrect Access Control
Weaknesses CWE-284
CWE-307

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Totara
Totara lms
Vendors & Products Totara
Totara lms

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack.
References

Subscriptions

Totara Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T06:10:30.341Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31282

cve-icon Vulnrichment

Updated: 2026-04-14T15:43:00.720Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T15:17:33.100

Modified: 2026-05-06T07:16:00.677

Link: CVE-2026-31282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T07:30:16Z

Weaknesses