Description
RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16.
Published: 2026-05-07
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from deterministic token generation in the make_sign_in_key() function of auth.py and the gen_ticket_code() function of exam.py, allowing an attacker to predict or recreate authentication tokens and exam tickets. This flaw enables unauthorized sign‑in and access to user exam data, effectively bypassing authentication and potentially exposing confidential educational content. The weakness is classified under CWE‑330 and CWE‑338, indicating the use of non‑secret or inadequately random token values.

Affected Systems

All versions of inducer:relate released before the commit 2f68e16. After that commit, the bug is patched; version updates or patch application are strongly recommended.

Risk and Exploitability

The CVSS score of 8.7 denotes high severity with potential for remote exploitation. Although EPSS data is not available, the public disclosure and patch commit suggest that the exploit is known and could be readily leveraged. The vulnerability is not listed in CISA KEV, but its high CVSS and the nature of the token predictability imply a significant likelihood of compromise if left unpatched. The likely attack vector involves the web interface; an attacker could submit crafted requests that trigger token generation, requiring no special credentials and yielding immediate access or exam manipulation.

Generated by OpenCVE AI on May 7, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced by commit 2f68e16 or upgrade to the latest RELATE release that contains the fix.
  • Invalidate any existing authentication tokens or exam tickets generated before the patch to prevent the reuse of predictable values.
  • Audit the authentication and exam ticket generation functions to confirm that cryptographically secure random number generators are used and enforce proper access control policies.

Generated by OpenCVE AI on May 7, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Inducer
Inducer relate
Vendors & Products Inducer
Inducer relate

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16.
Title RELATE: Predictable Token Generation in auth.py and exam.py
Weaknesses CWE-330
CWE-338
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

Inducer Relate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:44:48.542Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41505

cve-icon Vulnrichment

Updated: 2026-05-07T14:44:45.055Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T15:16:07.010

Modified: 2026-05-07T15:53:49.717

Link: CVE-2026-41505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:45:32Z

Weaknesses