Description
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.
Published: 2026-04-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Email Bombing
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the forgot password API of Totara Learning Management System (LMS) releases 19.1.5 and earlier, where no rate limiting is applied to the target email address. An attacker can trigger an arbitrary number of password‑reset emails to a chosen account, overwhelming the mailbox and disrupting legitimate use. The vendor states that the pwresettime configuration defaults to 30 minutes and that a hard‑control flag ("PWRESET_STATUS_ALREADYSENT") blocks additional reset emails once it is active for a specific address, yet documented behavior still permits rapid successive requests before the flag is set.

Affected Systems

Totara Learning Management System versions 19.1.5 and earlier are affected; no other vendor or product variants are listed.

Risk and Exploitability

The CVSS base score of 9.8 indicates a very high severity, and the EPSS score of less than 1 % suggests the current exploitation likelihood is low. This vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the publicly exposed, unauthenticated API endpoint that accepts any email address; an attacker can directly target any account without prior credentials.

Generated by OpenCVE AI on April 29, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official Totara LMS patch that implements rate limiting on the forgot password endpoint; upgrades newer than 19.1.5 are recommended.
  • If an immediate upgrade is not possible, place external rate‑limiting or firewall rules on the forgot password URL to constrain the number of requests per address within a given time frame.
  • Continuously monitor request logs for spikes in the forgot password endpoint and deploy automated alerts or temporary blocks against abusive traffic.

Generated by OpenCVE AI on April 29, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Unrestricted Password Reset Causing Email Bombing in Totara LMS

Fri, 24 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Missing Rate Limiting on Totara LMS Forgot Password API Allows Email Bombing

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Missing Rate Limiting on Totara LMS Forgot Password API Allows Email Bombing
Weaknesses CWE-770

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Totara
Totara lms
Vendors & Products Totara
Totara lms

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.
References

Subscriptions

Totara Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-24T07:32:30.441Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31283

cve-icon Vulnrichment

Updated: 2026-04-14T15:41:49.753Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T15:17:33.220

Modified: 2026-04-24T08:16:29.853

Link: CVE-2026-31283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses