CVE-2026-31282
CriticalSummary
Totara LMS v19.1.5 and earlier is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form, allowing an attacker to perform a brute force attack due to the lack of rate-limiting on the login form.
Risk Assessment
The organization may be exposed to brute force attacks, potentially leading to unauthorized access to user accounts. A security breach could result in data loss or access to sensitive information.
Recommendation
It is recommended to implement appropriate rate-limiting mechanisms for login attempts and review security configurations in Totara LMS. Additionally, monitoring logs for suspicious activity is advised.
Original NVD description (English source)
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.

