CVE-2026-31282

Published: Apr 13, 2026

Modified: May 6, 2026

PUBLISHED

Description

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.totara.com/

https://github.com/saykino/CVE-2026-31282

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31282

Description

Affected Products

References