CVE-2026-23946
Deserialization RCE in Tendenci Helpdesk Module (Pre
Publication date: 2026-01-22
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tendenci | tendenci | to 15.3.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23946 is a deserialization vulnerability in the Tendenci Helpdesk module affecting versions 15.3.11 and below. It occurs because the application uses Python's unsafe pickle.loads() function to deserialize data in the run_report() function. This allows an authenticated user with staff-level permissions to execute arbitrary code remotely by submitting malicious serialized data. The vulnerability stems from incomplete patching of a previous issue (CVE-2020-14942), where only one function was fixed to use safe JSON deserialization, but run_report() remained vulnerable. The Helpdesk module is not enabled by default, and the impact is limited to the permissions of the application user (usually www-data). The issue has been fixed in version 15.3.12 by replacing pickle deserialization with safe JSON deserialization and improving input validation. [2, 3, 4, 8]
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with staff-level privileges to execute arbitrary code on the server running the Tendenci application. The code execution occurs with the permissions of the application user (typically www-data), which usually has limited write and execute permissions outside upload directories. While this limits the scope of damage, an attacker could still manipulate data, disrupt service, or potentially escalate privileges depending on the server configuration. The vulnerability impacts confidentiality, integrity, and availability of the system at a high level within the scope of the application user's permissions. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Tendenci installation is running version 15.3.11 or below with the Helpdesk module enabled, and if the vulnerable function run_report() is used which deserializes data unsafely with pickle.loads(). Since the vulnerability requires authenticated staff-level access and involves deserialization of base64-encoded pickle data in saved queries, detection can include: 1. Checking the Tendenci version installed (e.g., via command line or application info). 2. Reviewing logs for suspicious POST requests to the helpdesk /reports/ endpoint containing base64-encoded data in saved_query or query_encoded parameters. 3. Searching for usage of pickle.loads() in the helpdesk views/staff.py file to confirm if the vulnerable code is present. 4. Monitoring for unusual or unauthorized staff-level user activity. Specific commands might include: - `grep -r 'pickle.loads' tendenci/apps/helpdesk/views/staff.py` to check for vulnerable code usage. - `curl -u staffuser:password -X POST https://your-tendenci-site/helpdesk/reports/ -d 'saved_query=...'` to test deserialization endpoints (with caution). - Checking application logs for suspicious base64-encoded payloads in requests. However, no explicit detection commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade Tendenci to version 15.3.12 or later, where the vulnerability is fixed by replacing unsafe pickle deserialization with safe JSON deserialization in the Helpdesk module. 2. If upgrading immediately is not possible, consider disabling the Helpdesk module since it is not enabled by default and the vulnerability is limited to that module. 3. Restrict staff-level user access to trusted personnel only, as the vulnerability requires authenticated staff privileges. 4. Apply patches that validate and sanitize input data, such as the introduction of the SavedSearchForm for validating saved queries to prevent malicious payloads. 5. Review and apply the code changes from the commits that replace pickle with simplejson and add validation (see commits in Resources 4 and 8). These steps reduce the risk of remote code execution via deserialization of untrusted data. [2, 4, 8]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2026-23946 on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows remote code execution by an authenticated staff-level user, it could potentially lead to unauthorized access or modification of sensitive data, which may affect confidentiality and integrity requirements under such regulations. The impact is limited by the application's user permissions, typically restricting write and execute capabilities outside upload directories. Nonetheless, no direct statements about compliance implications are provided in the resources. [2, 3]