CVE-2026-26744 identifies a user enumeration vulnerability in the FormaLMS learning management system, versions 4.1.18 and below. The flaw exists in the password recovery functionality accessed via the /lostpwd endpoint. When a user submits a username for password recovery, the system responds with different error messages depending on whether the username exists in the system. This behavior allows an unauthenticated attacker to infer valid usernames by analyzing response discrepancies, effectively enumerating registered users. User enumeration vulnerabilities do not directly compromise system confidentiality or integrity but provide attackers with valuable reconnaissance information that can facilitate subsequent attacks such as brute force, credential stuffing, or social engineering. The vulnerability does not require authentication or user interaction beyond sending HTTP requests to the vulnerable endpoint. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability was reserved and published in February 2026. The absence of patch links suggests that fixes may not yet be publicly available or widely distributed. Given the nature of the vulnerability, it is critical for organizations using FormaLMS to monitor for updates and apply patches promptly once released. Additionally, implementing uniform error messaging and rate limiting on the password recovery endpoint can mitigate the risk of user enumeration.

The primary impact of CVE-2026-26744 is the disclosure of valid usernames registered within FormaLMS instances. This information leakage can significantly aid attackers in mounting targeted attacks such as credential stuffing, password spraying, or phishing campaigns, potentially leading to unauthorized access if weak or reused credentials are present. While the vulnerability itself does not allow direct compromise of user accounts or system integrity, it lowers the barrier for attackers to identify valid accounts and focus their efforts. Organizations relying on FormaLMS for e-learning and training may face increased risk of account compromise, data breaches, and reputational damage if attackers leverage enumerated usernames effectively. The vulnerability affects all organizations using vulnerable versions of FormaLMS worldwide, especially those with large user bases or sensitive training content. The lack of authentication requirement and ease of exploitation increase the risk, although the absence of known exploits in the wild currently limits immediate impact.

To mitigate CVE-2026-26744, organizations should: 1) Monitor FormaLMS vendor communications and apply official patches or updates as soon as they become available. 2) Implement uniform error messages for the password recovery process to avoid revealing whether a username exists, ensuring responses are identical for valid and invalid usernames. 3) Employ rate limiting and IP throttling on the /lostpwd endpoint to reduce the feasibility of automated enumeration attempts. 4) Consider adding CAPTCHA or other challenge-response tests on the password recovery form to hinder automated attacks. 5) Conduct regular audits of user accounts to identify and disable inactive or suspicious accounts. 6) Educate users on strong, unique passwords and encourage multi-factor authentication if supported by FormaLMS. 7) Monitor logs for unusual activity patterns related to password recovery requests to detect potential enumeration attempts early. These measures collectively reduce the risk of user enumeration and subsequent exploitation.