CVE-2026-41505
Predictable Token Generation in RELATE Courseware
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inducer | relate | to 2f68e16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41505 is a security vulnerability in the RELATE web-based courseware package caused by the use of non-cryptographic pseudo-random number generators (PRNGs) for generating security-sensitive tokens.
Specifically, the functions make_sign_in_key() in course/auth.py and gen_ticket_code() in course/exam.py use Python's random module (Mersenne Twister), which is not cryptographically secure.
This allows attackers who observe enough token outputs to predict future tokens, potentially leading to account takeover via password reset token prediction and unauthorized exam access by predicting exam ticket codes.
The vulnerability has been patched by replacing the insecure PRNGs with cryptographically secure alternatives from Python's secrets module.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41505 involves predictable token generation due to the use of non-cryptographic pseudo-random number generators in security-sensitive functions. This vulnerability can lead to account takeover and unauthorized exam access by allowing attackers to predict tokens used for password resets, sign-ins, and exam tickets.
Such weaknesses in token security can impact compliance with standards like GDPR and HIPAA, which require protection of user data and secure authentication mechanisms to prevent unauthorized access and data breaches.
Specifically, the integrity and availability impacts (as indicated by the CVSS score) could lead to violations of data protection and privacy requirements mandated by these regulations.
The vulnerability has been patched by replacing insecure PRNGs with cryptographically secure alternatives, which helps restore compliance by improving token security.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized account takeover and unauthorized access to exams.
- Attackers can predict password reset tokens, allowing them to reset passwords and take over user accounts.
- Attackers can predict exam ticket codes, gaining unauthorized access to exams.
The vulnerability affects the integrity and availability of the system, as indicated by its high CVSS score of 8.7.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of non-cryptographically secure pseudo-random number generators in token generation functions within the RELATE project. Detection involves identifying whether the vulnerable functions `make_sign_in_key()` in `course/auth.py` and `gen_ticket_code()` in `course/exam.py` are using Python's insecure `random` module instead of the secure `secrets` module.
To detect this on your system, you can inspect the source code for these functions to check for usage of the `random` module. For example, you can use the following commands to search for the usage of `random` in the relevant files:
- grep -n 'import random' course/auth.py course/exam.py
- grep -n 'random.' course/auth.py course/exam.py
If these commands show that `random` is used for token generation, the system is vulnerable. Additionally, monitoring network traffic for predictable token patterns may be possible but is complex and not directly described in the resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the RELATE software to include the patch introduced in commit 2f68e16, which replaces the insecure pseudo-random number generators with cryptographically secure alternatives from Python's `secrets` module.
Specifically, the vulnerable functions should be modified as follows:
- Replace `make_sign_in_key()` to use `secrets.token_hex(32)` instead of the `random` module.
- Replace `gen_ticket_code()` to use `secrets.choice()` with a predefined alphabet instead of `random.choice()`.
Applying this patch will prevent attackers from predicting tokens and gaining unauthorized access or control.