CVE-2026-26717 - Vulnerability Details

- HMAC Timing Attack Enabling Signature Forgery in OpenFUN Richie LMS

Description

An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies

Published: 2026-02-25

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the HMAC signature verification in the sync_course_run_from_request function of OpenFUN Richie LMS. A non‑constant‑time comparison operator is used, which permits an attacker to measure response times and deduce a correct signature. With a forged signature the attacker can bypass authentication and perform actions that are normally restricted to authenticated users.

Affected Systems

This flaw affects deployments of OpenFUN Richie LMS where the sync_course_run_from_request endpoint is enabled. The specific code path is located in src/richie/apps/courses/api.py. A remediation commit (a1b5bbda3403d7debb466c303a32852925fcba5f) has been released to replace the comparison with a constant‑time routine. No affected version information is available.

Risk and Exploitability

The CVSS score is 4.8, representing a medium severity issue, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote over a network, requiring an attacker to sacrifice a request to the sync_course_run_from_request endpoint to time the response and forge a valid HMAC. This allows unauthorized access to protected resources or actions within the LMS. The likelihood of exploitation is low according to current metrics, but the impact of bypassing authentication warrants timely resolution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Openfun

Richie

70%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch introduced in commit a1b5bbda3403d7debb466c303a32852925fcba5f to use a constant‑time comparison for HMAC verification.
If the patch cannot be applied immediately, disable or restrict the sync_course_run_from_request endpoint to prevent unauthenticated access.
Review and enforce strict access controls on all API endpoints that rely on HMAC signatures, ensuring that only legitimate requests are processed.
Regularly audit authentication mechanisms to detect and remediate any timing variations in future updates.

Generated by OpenCVE AI on April 18, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xjhr-fm27-4hmx	OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00097.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Rickidevs/CVE-2026-26717
https://github.com/openfun/richie/commit/a1b5bbda3403d7debb466c303a32852925fcba5f
https://medium.com/@ordogh/cve-2026-26717-hmac-timing-attack-in-openfun-richie-lms-f04377efe83d?postPublishedType=repub

History

Sat, 18 Apr 2026 11:15:00 +0000

Type	Values Removed	Values Added
Title		HMAC Timing Attack Enabling Signature Forgery in OpenFUN Richie LMS

Fri, 27 Feb 2026 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-208
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openfun Openfun richie
Vendors & Products		Openfun Openfun richie

Wed, 25 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies
References		https://github.com/Rickidevs/CVE-2026-26717 https://github.com/openfun/richie/commit/a1b5bbda3403d7debb466c303a32852925fcba5f https://medium.com/@ordogh/cve-2026-26717-hmac-timing-attack-in-openfun-richie-lms-f04377efe83d?postPublishedType=repub

Subscriptions

Openfun Richie

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-25T00:00:00.000Z

Updated: 2026-02-26T19:11:04.934Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26717

Vulnrichment

Updated: 2026-02-26T19:05:51.701Z

NVD

Status : Deferred

Published: 2026-02-25T17:25:39.293

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26717

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses

CWE-208

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object