CVE-2026-26744 identifies a user enumeration vulnerability in FormaLMS, an open-source learning management system widely used for corporate and educational training. The vulnerability exists in the password recovery functionality accessible via the /lostpwd endpoint. When an attacker submits a username during password recovery, the application responds differently depending on whether the username exists in the system. This discrepancy in error messages allows an unauthenticated attacker to confirm valid usernames by observing the response differences. The vulnerability is classified under CWE-204 (Information Exposure Through Discrepancy). The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (remote), no privileges required, and no user interaction needed. The impact is limited to confidentiality as only username information is disclosed; integrity and availability are unaffected. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. However, the vulnerability facilitates reconnaissance activities that can serve as a precursor to more severe attacks such as phishing, social engineering, or brute force password attacks. Organizations using FormaLMS 4.1.18 or earlier should be aware of this issue and monitor for updates or apply custom mitigations to reduce information leakage.

The primary impact of this vulnerability is the exposure of valid usernames to unauthenticated attackers. This information leakage compromises confidentiality by enabling attackers to build accurate user lists, which can be leveraged in targeted phishing campaigns, credential stuffing attacks, or brute force attempts to gain unauthorized access. While the vulnerability does not directly affect system integrity or availability, the resulting attacks facilitated by user enumeration can lead to account compromise, data breaches, and potential lateral movement within affected organizations. Educational institutions, corporate training departments, and other organizations relying on FormaLMS for user management and training delivery are at risk of having their user data exposed, potentially undermining trust and compliance with data protection regulations. The ease of exploitation and lack of required authentication increase the likelihood of reconnaissance activities by malicious actors.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from FormaLMS that address the user enumeration issue. In the absence of an official patch, administrators can implement the following practical measures: 1) Standardize error messages in the password recovery process so that responses do not differ based on username validity, thereby preventing attackers from distinguishing valid users. 2) Implement rate limiting and IP throttling on the /lostpwd endpoint to reduce the feasibility of automated enumeration attempts. 3) Employ web application firewalls (WAFs) with rules designed to detect and block enumeration patterns targeting password recovery endpoints. 4) Monitor logs for unusual activity related to password recovery requests, especially repeated attempts with varying usernames. 5) Educate users about phishing risks and encourage strong, unique passwords combined with multi-factor authentication (MFA) to reduce the impact of compromised credentials. 6) Consider temporarily disabling the password recovery feature if it is not essential or replacing it with more secure alternatives. These steps collectively reduce the risk of information leakage and subsequent attacks.