Description
RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.
Published: 2026-05-08
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A timing side‑channel in the course/auth.py function check_sign_in_key() enables an attacker to infer the correct sign‑in key by measuring response times. Based on the description, it is inferred that an attacker could use this information to bypass authentication and gain unauthorized access to protected courseware resources. The weakness is identified as both CWE‑203, which describes information exposure through timing, and CWE‑208, a timing channel that can leak sensitive information.

Affected Systems

The vulnerability exists in the RELATE web‑based courseware product from inducer. All released versions prior to commit 2f68e16 are affected, regardless of release number, since the timing leak was present in every code base until that patch was applied.

Risk and Exploitability

The CVSS score of 9.0 classifies this incident as a critical flaw. Based on the description, an attacker could exploit the timing side‑channel by issuing web‑based requests to the sign‑in endpoint and measuring response times to deduce the correct key. The EPSS score indicates a probability of exploitation of less than 1%, implying that while the likelihood is low, it is not zero and could still be relevant for high‑value targets. The flaw is not listed in CISA KEV.

Generated by OpenCVE AI on May 12, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 2f68e16 or upgrade to a version of RELATE that incorporates the fix. This removes the timing side‑channel.
  • Configure authentication endpoints to use constant‑time comparison logic or enforce rate‑limiting and timeout controls to defeat timing measurements. This mitigates the risk while a permanent patch is deployed.
  • Validate the absence of timing leakage by generating a test harness that compares response times for known valid and invalid keys; confirm that the differences are indistinguishable within measurement noise.

Generated by OpenCVE AI on May 12, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-203
CPEs cpe:2.3:a:inducer:relate:*:*:*:*:*:*:*:*

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Inducer
Inducer relate
Vendors & Products Inducer
Inducer relate

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.
Title RELATE: Timing Attack Vulnerability in course/auth.py — check_sign_in_key()
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Inducer Relate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T23:27:23.515Z

Reserved: 2026-04-21T14:15:21.959Z

Link: CVE-2026-41588

cve-icon Vulnrichment

Updated: 2026-05-08T23:27:10.413Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:43.363

Modified: 2026-05-12T21:09:52.837

Link: CVE-2026-41588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses
  • CWE-203

    Observable Discrepancy

  • CWE-208

    Observable Timing Discrepancy