CRITICAL🇵🇱 Wersja polska

CVE-2026-31283

CVSS 9.8v3.1pub. 2026-04-13upd. 2026-04-24

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.

🤖 AI Analysis
How it works

An attacker sends multiple requests to the password reset API endpoint, providing the victim's email address, without any mechanism limiting the number of such requests. The system generates and sends subsequent emails with password reset links to the specified address. However, the software vendor points out that the default configuration of the pwresettime parameter is 30 minutes, and the PWRESET_STATUS_ALREADYSENT flag blocks sending additional messages after the first request in this time window — which according to the vendor constitutes sufficient control.

Impact

An attacker can cause an overload of a selected user's mailbox with a large number of emails (Email Bombing), which may result in difficult access to the mailbox or hiding other messages in it.

Mitigation & patch

Apply patches available from the manufacturer in accordance with the references. Additionally, it is recommended to verify the configuration of the pwresettime parameter and ensure that the PWRESET_STATUS_ALREADYSENT flag is active. It is also worth considering implementing additional rate limiting mechanisms at the infrastructure level (e.g., firewall, reverse proxy).

Who is affected

Totara LMS in version v19.1.5 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References