CVE-2026-41588
Undergoing Analysis Undergoing Analysis - In Progress
Timing Attack in RELATE Courseware

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py β€” check_sign_in_key(). This issue has been patched via commit 2f68e16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41588
EUVD
EUVD-2026-28656
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
inducer relate to 2024.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a timing attack found in the RELATE project's authentication code, specifically in the check_sign_in_key() function within course/auth.py.

The issue arises because Python's == operator performs string comparisons in a way that takes variable time depending on the input, allowing an attacker to measure response times and gradually leak valid sign-in tokens byte-by-byte.

The vulnerability affects versions of the relate-courseware package up to and including 2024.1 and was patched by replacing the insecure comparison with a constant-time comparison using hmac.compare_digest().

Impact Analysis

This vulnerability can have a critical impact on the confidentiality, integrity, and availability of the affected system.

An attacker can remotely exploit the timing attack without any privileges or user interaction to gradually discover valid sign-in tokens.

With these tokens, the attacker could potentially gain unauthorized access, compromise user accounts, and disrupt the normal operation of the courseware system.

Detection Guidance

This vulnerability is a timing attack in the RELATE project's authentication function, which can be detected by observing response time discrepancies when validating sign-in tokens.

To detect exploitation attempts on your system or network, you can monitor for unusual or repeated authentication requests to the `check_sign_in_key()` function or related endpoints, especially those that measure response times.

Specific commands are not provided in the available resources, but general approaches include using network monitoring tools like tcpdump or Wireshark to capture authentication traffic, and timing analysis scripts to detect non-constant-time comparisons.

Additionally, reviewing logs for repeated failed authentication attempts with varying payloads may help identify timing attack attempts.

Mitigation Strategies

The immediate mitigation step is to update the RELATE courseware package to a version that includes the patch from commit 2f68e16.

This patch replaces the insecure use of the `==` operator for token comparison with the secure `hmac.compare_digest()` function, which performs constant-time comparisons and prevents timing attacks.

Until the update can be applied, consider restricting access to the authentication endpoints to trusted networks or users to reduce the risk of remote exploitation.

Compliance Impact

The timing attack vulnerability in RELATE's authentication mechanism allows an attacker to remotely leak valid sign-in tokens byte-by-byte, impacting confidentiality, integrity, and availability of the system.

Such a vulnerability could potentially lead to unauthorized access to sensitive user data, which may affect compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information against unauthorized disclosure.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart