Description
RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.
Published: 2026-05-08
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A timing side‑channel in the course/auth.py function check_sign_in_key() enables an attacker to infer the correct sign‑in key by measuring response times. Based on the description, it is inferred that an attacker could use this information to bypass authentication and gain unauthorized access to protected courseware resources. The weakness is identified as CWE‑208, a timing channel that can leak sensitive information.

Affected Systems

The vulnerability exists in the RELATE web‑based courseware product from inducer. All released versions prior to commit 2f68e16 are affected, regardless of release number, since the timing leak was present in every code base until that patch was applied.

Risk and Exploitability

The CVSS score of 9.0 classifies this incident as a critical flaw. Based on the description, it is inferred that an attacker could exploit the timing side‑channel by issuing web‑based requests to the sign‑in endpoint and measuring response times to deduce the correct key. Because EPSS data is not available, the precise likelihood of exploitation cannot be quantified, but the high severity and the nature of the attack suggest that the vulnerability could be abused in realistic settings, especially over the public Internet. The flaw is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 8, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 2f68e16 or upgrade to a version of RELATE that incorporates the fix. This removes the timing side‑channel.
  • Configure authentication endpoints to use constant‑time comparison logic or enforce rate‑limiting and timeout controls to defeat timing measurements. This mitigates the risk while a permanent patch is deployed.
  • Validate the absence of timing leakage by generating a test harness that compares response times for known valid and invalid keys; confirm that the differences are indistinguishable within measurement noise.

Generated by OpenCVE AI on May 8, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Inducer
Inducer relate
Vendors & Products Inducer
Inducer relate

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.
Title RELATE: Timing Attack Vulnerability in course/auth.py — check_sign_in_key()
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Inducer Relate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T23:27:23.515Z

Reserved: 2026-04-21T14:15:21.959Z

Link: CVE-2026-41588

cve-icon Vulnrichment

Updated: 2026-05-08T23:27:10.413Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T15:16:43.363

Modified: 2026-05-08T16:08:15.570

Link: CVE-2026-41588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:45:05Z

Weaknesses