CVE-2026-41588
Timing Attack in RELATE Courseware
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inducer | relate | to 2024.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a timing attack found in the RELATE project's authentication code, specifically in the check_sign_in_key() function within course/auth.py.
The issue arises because Python's == operator performs string comparisons in a way that takes variable time depending on the input, allowing an attacker to measure response times and gradually leak valid sign-in tokens byte-by-byte.
The vulnerability affects versions of the relate-courseware package up to and including 2024.1 and was patched by replacing the insecure comparison with a constant-time comparison using hmac.compare_digest().
How can this vulnerability impact me? :
This vulnerability can have a critical impact on the confidentiality, integrity, and availability of the affected system.
An attacker can remotely exploit the timing attack without any privileges or user interaction to gradually discover valid sign-in tokens.
With these tokens, the attacker could potentially gain unauthorized access, compromise user accounts, and disrupt the normal operation of the courseware system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a timing attack in the RELATE project's authentication function, which can be detected by observing response time discrepancies when validating sign-in tokens.
To detect exploitation attempts on your system or network, you can monitor for unusual or repeated authentication requests to the `check_sign_in_key()` function or related endpoints, especially those that measure response times.
Specific commands are not provided in the available resources, but general approaches include using network monitoring tools like tcpdump or Wireshark to capture authentication traffic, and timing analysis scripts to detect non-constant-time comparisons.
Additionally, reviewing logs for repeated failed authentication attempts with varying payloads may help identify timing attack attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the RELATE courseware package to a version that includes the patch from commit 2f68e16.
This patch replaces the insecure use of the `==` operator for token comparison with the secure `hmac.compare_digest()` function, which performs constant-time comparisons and prevents timing attacks.
Until the update can be applied, consider restricting access to the authentication endpoints to trusted networks or users to reduce the risk of remote exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The timing attack vulnerability in RELATE's authentication mechanism allows an attacker to remotely leak valid sign-in tokens byte-by-byte, impacting confidentiality, integrity, and availability of the system.
Such a vulnerability could potentially lead to unauthorized access to sensitive user data, which may affect compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information against unauthorized disclosure.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.