CVE-2026-26744
📋 TL;DR
A user enumeration vulnerability in FormaLMS 4.1.18 and earlier allows unauthenticated attackers to determine valid usernames via the password recovery endpoint. Attackers can exploit different error messages for valid versus invalid usernames to enumerate registered users. This affects all FormaLMS deployments with vulnerable versions exposed to network access.
💻 Affected Systems
- FormaLMS
📦 What is this software?
Formalms by Formalms
⚠️ Risk & Real-World Impact
Worst Case
Attackers build comprehensive user lists for targeted credential attacks, social engineering, or account takeover campaigns, potentially leading to data breaches or unauthorized access.
Likely Case
Attackers enumerate valid usernames to facilitate credential stuffing, brute force attacks, or targeted phishing against known users.
If Mitigated
Limited to username discovery without direct access to accounts, though still enabling reconnaissance for follow-on attacks.
🎯 Exploit Status
Exploitation requires only HTTP requests to the /lostpwd endpoint and analysis of response differences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check FormaLMS GitHub repository or vendor channels for updates. Upgrade to a patched version when available.
🔧 Temporary Workarounds
Disable Password Recovery Endpoint
allBlock or restrict access to the /lostpwd endpoint via web server configuration or firewall rules.
# Example for Apache: RewriteRule ^/lostpwd$ - [F]
# Example for Nginx: location /lostpwd { deny all; }
Implement Rate Limiting
allApply rate limiting to the /lostpwd endpoint to slow down enumeration attempts.
# Example using fail2ban or similar tools
# Configure web server rate limiting modules
🧯 If You Can't Patch
- Implement WAF rules to detect and block user enumeration patterns on /lostpwd endpoint.
- Monitor logs for excessive requests to /lostpwd and implement alerting for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Send HTTP POST requests to /lostpwd with valid and invalid usernames; compare error messages for discrepancies indicating vulnerability.Check Version:
Check FormaLMS version in admin panel or configuration files.Verify Fix Applied:
Test that /lostpwd returns identical generic error messages regardless of username validity.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /lostpwd from single IPs
- Patterns of different HTTP response codes for /lostpwd requests
Network Indicators:
- Unusual volume of requests to /lostpwd endpoint
- Sequential username guessing patterns in traffic
SIEM Query:
source="web_logs" url="/lostpwd" | stats count by src_ip | where count > threshold