CVE-2026-31282

CRITICAL

Totara LMS <=v19.1.5 - Incorrect Access Control

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-31282. PoCs published by saykino.

AI-analyzed exploit summary This repository provides a detailed technical description of CVE-2026-31282, an incorrect access control vulnerability in Totara LMS. It explains how the login page can be manipulated to bypass Okta authentication and chain with a missing rate-limit to enable brute force attacks.

Description

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.

Exploits (1)

nomisec WRITEUP
by saykino · poc
https://github.com/saykino/CVE-2026-31282

This repository provides a detailed technical description of CVE-2026-31282, an incorrect access control vulnerability in Totara LMS. It explains how the login page can be manipulated to bypass Okta authentication and chain with a missing rate-limit to enable brute force attacks.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Totara LMS versions <= 19.1.5
No auth needed
Prerequisites: Access to the login page of Totara LMS
devstral-2 · analyzed Apr 13, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0006
EPSS Percentile 19.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-284
Status published
Published Apr 13, 2026
Tracked Since Apr 13, 2026