Skip to main content

RELATE courseware CVE-2026-41505

| EUVDEUVD-2026-28379 HIGH
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-05-07 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 07, 2026 - 16:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 15:00 vuln.today
Analysis Generated
May 07, 2026 - 15:00 vuln.today
CVE Published
May 07, 2026 - 13:35 nvd
HIGH 8.7

DescriptionGitHub Advisory

RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16.

AnalysisAI

Predictable token generation in RELATE courseware allows remote attackers to forge authentication and exam access tokens. The vulnerability affects two critical security functions: make_sign_in_key() in auth.py (user authentication) and gen_ticket_code() in exam.py (exam access control). Weak pseudorandom number generation (CWE-338) enables attackers with high complexity to bypass authentication mechanisms and gain unauthorized access to exams with potential for integrity and availability compromise across security boundaries (CVSS scope change). Patched in commit 2f68e16. EPSS data not available; no public exploit identified at time of analysis.

Technical ContextAI

RELATE is a web-based courseware platform (cpe:2.3:a:inducer:relate) used for course management and online examinations. The vulnerability stems from CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator), where token generation functions rely on insufficiently random or predictable entropy sources. Authentication tokens generated by make_sign_in_key() control user session establishment, while exam ticket codes from gen_ticket_code() grant access to timed exam sessions. Predictable PRNG output allows attackers to enumerate or predict valid tokens through statistical analysis or brute-force attempts with reduced computational effort compared to cryptographically secure random generation. The commit 2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb replaced weak PRNG implementations, evidenced by significant code removal in auth.py parameter handling and exam.py token generation logic.

RemediationAI

Update RELATE to commit 2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb or later, which replaces weak PRNG implementations with cryptographically secure random generation. Patch available at https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb. For environments unable to immediately patch, implement compensating controls: (1) Rotate all existing authentication tokens and exam tickets to invalidate potentially compromised credentials-disrupts active sessions but prevents token reuse. (2) Enable aggressive rate limiting on authentication endpoints (10 attempts per IP per hour) to increase computational cost of token prediction attacks-may impact legitimate users in shared network environments. (3) Implement anomalous authentication pattern detection (multiple failed token validations, rapid token enumeration attempts) with temporary IP blocking-requires log analysis infrastructure. (4) Restrict exam access windows to shortest practical duration and invalidate tickets immediately upon exam completion-reduces window for ticket prediction but may affect students with technical difficulties. None of these workarounds address root cause; upgrade remains essential for production environments hosting sensitive assessments.

Share

CVE-2026-41505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy