CVE-2026-31283: n/a
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.
AI Analysis
Technical Summary
This vulnerability in Totara LMS versions up to 19.1.5 involves the forgot password API not implementing rate limiting on password reset requests per email address, which could be abused for Email Bombing attacks. The supplier clarifies that the pwresettime configuration, defaulting to 30 minutes, acts as a hard control using the PWRESET_STATUS_ALREADYSENT flag to block additional password reset emails within that period. No official patch or remediation level is indicated in the available data.
Potential Impact
If exploited, an attacker could trigger a large volume of password reset emails to a single email address, potentially leading to denial of service or email inbox flooding. However, the supplier's stated controls limit the frequency of such emails to one per 30 minutes per address, mitigating the risk of rapid repeated abuse. There is no indication of direct compromise of user accounts or data confidentiality, integrity, or availability beyond the email flooding risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The supplier indicates that the pwresettime configuration enforces a 30-minute cooldown between password reset emails per address, which mitigates the risk of Email Bombing. Administrators should verify that this configuration is enabled and functioning as intended. No additional immediate action is specified by the vendor.
CVE-2026-31283: n/a
Description
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Totara LMS versions up to 19.1.5 involves the forgot password API not implementing rate limiting on password reset requests per email address, which could be abused for Email Bombing attacks. The supplier clarifies that the pwresettime configuration, defaulting to 30 minutes, acts as a hard control using the PWRESET_STATUS_ALREADYSENT flag to block additional password reset emails within that period. No official patch or remediation level is indicated in the available data.
Potential Impact
If exploited, an attacker could trigger a large volume of password reset emails to a single email address, potentially leading to denial of service or email inbox flooding. However, the supplier's stated controls limit the frequency of such emails to one per 30 minutes per address, mitigating the risk of rapid repeated abuse. There is no indication of direct compromise of user accounts or data confidentiality, integrity, or availability beyond the email flooding risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The supplier indicates that the pwresettime configuration enforces a 30-minute cooldown between password reset emails per address, which mitigates the risk of Email Bombing. Administrators should verify that this configuration is enabled and functioning as intended. No additional immediate action is specified by the vendor.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-03-09T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dcfe7a82d89c981ff7d604
Added to database: 4/13/2026, 2:32:26 PM
Last enriched: 4/29/2026, 10:59:41 AM
Last updated: 5/29/2026, 12:47:45 PM
Views: 96
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.