Description
RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sandbox, this allows an authenticated student to achieve full Remote Code Execution (RCE) on the host system. Commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb fixes the issue.
Published: 2026-05-27
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RELATE LMS allows Celery workers to deserialize untrusted pickle data. If an attacker can reach the message broker, they can execute arbitrary commands on the host, compromising confidentiality, integrity, and availability. Because the code execution sandbox lacks network isolation, an authenticated student can obtain full Remote Code Execution on the host system.

Affected Systems

The vulnerability affects RELATE LMS from inducer:relate, specifically any release prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb. All users of the unpatched version are susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Exploitation requires attacker access to the Celery message broker, which may be reachable if the broker is not network isolated. Once in position, a crafted pickle payload grants full control of the host. No EPSS data is available and the vulnerability is not listed in KEV, but the combination of high impact and achievable attack path makes this a significant risk for organizations running unpatched RELATE instances.

Generated by OpenCVE AI on May 27, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest RELATE release containing commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.
  • Configure Celery to disable pickle deserialization, e.g., set serializer whitelist to json or turn off allow_pickle.
  • Enforce network isolation so that the message broker is accessible only from trusted hosts and not exposed to the broader network or student access.

Generated by OpenCVE AI on May 27, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sandbox, this allows an authenticated student to achieve full Remote Code Execution (RCE) on the host system. Commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb fixes the issue.
Title RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:31:55.375Z

Reserved: 2026-05-18T21:25:34.496Z

Link: CVE-2026-47161

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:39.420

Modified: 2026-05-27T20:16:39.420

Link: CVE-2026-47161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses