Compliance Impact

CVE-2026-47161 allows an attacker to achieve full Remote Code Execution (RCE) on the host system running the RELATE LMS. This can lead to unauthorized access to the server, including the database and course data, and potentially pivoting to the internal network.

Such unauthorized access and control over sensitive data and systems can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Therefore, this vulnerability poses a significant risk to compliance with these regulations by potentially exposing personal and sensitive information to unauthorized parties.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the RELATE LMS Celery workers are configured to accept and deserialize untrusted pickle data, which is insecure. Specifically, you should verify the Celery configuration setting `CELERY_ACCEPT_CONTENT` to see if it includes "pickle" as an accepted serialization format.

To detect potential exploitation attempts or presence of the vulnerability on your system or network, you can:

• Inspect the Celery worker configuration files or environment variables for `CELERY_ACCEPT_CONTENT` and confirm it does not include "pickle".
• Monitor network traffic to the message broker (e.g., Redis or RabbitMQ) for unusual or unauthorized connections, especially from authenticated students or untrusted sources.
• Look for suspicious Celery tasks that might be serialized with pickle format or contain unusual payloads.

Example commands to check the Celery configuration on the host system might include:

• Using grep to find the setting in configuration files: `grep -r CELERY_ACCEPT_CONTENT /path/to/relate/config/`
• If environment variables are used, check with: `printenv | grep CELERY_ACCEPT_CONTENT`
• To monitor network connections to the message broker (assuming RabbitMQ on default port 5672): `netstat -anp | grep 5672` or `ss -anp | grep 5672`
• To inspect running Celery worker command line or environment: `ps aux | grep celery`

Since the vulnerability involves deserialization of untrusted pickle data, detection of exploit attempts may require monitoring Celery task payloads or broker queues for suspicious serialized data, which typically requires custom logging or broker inspection tools.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in the RELATE web-based courseware package. Before a specific code update, RELATE's LMS configured its Celery workers to accept and deserialize untrusted 'pickle' data. Because of this, an attacker who can access the message broker can execute arbitrary commands on the host server. Additionally, due to missing network isolation in the code execution sandbox, an authenticated student can exploit this to achieve full Remote Code Execution (RCE) on the host system.

The issue was fixed in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker with access to the message broker to execute arbitrary commands on the host server. Specifically, an authenticated student could gain full Remote Code Execution (RCE) capabilities on the host system, potentially leading to complete system compromise.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update RELATE LMS to include the fix introduced in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, which prevents Celery workers from accepting and deserializing untrusted 'pickle' data.

Additionally, ensure proper network isolation for the code execution sandbox to prevent authenticated students from achieving full Remote Code Execution (RCE) on the host system.

Useful 0 Not Useful 0