Skip to main content

RELATE EUVDEUVD-2026-28656

| CVE-2026-41588 CRITICAL
Observable Timing Discrepancy (CWE-208)
2026-05-08 security-advisories@github.com
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 08, 2026 - 16:18 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:17 vuln.today
Analysis Generated
May 08, 2026 - 16:17 vuln.today
CVE Published
May 08, 2026 - 15:16 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py - check_sign_in_key(). This issue has been patched via commit 2f68e16.

AnalysisAI

Timing attack vulnerability in RELATE's authentication module allows remote unauthenticated attackers to infer valid sign-in keys through response time analysis. The CWE-208 timing side-channel in course/auth.py's check_sign_in_key() function enables attackers to distinguish between valid and invalid authentication tokens by measuring server response latencies. While attack complexity is high (AC:H) due to the precise timing measurements required, successful exploitation grants full authentication bypass with cross-scope impact. Patched in commit 2f68e16. No public exploit identified at time of analysis. EPSS data not provided, CVSS 9.0 (Critical) reflects potential for complete system compromise via side-channel cryptanalysis.

Technical ContextAI

This is a CWE-208 (Observable Timing Discrepancy) vulnerability in RELATE, an open-source web-based courseware management system built in Python/Django. The vulnerable check_sign_in_key() function in course/auth.py performs authentication token validation using non-constant-time comparison operations. When verifying user-supplied sign-in keys against stored credentials, the function likely uses standard string equality operators that short-circuit on the first mismatching character, creating measurable timing differences. Attackers can exploit these microsecond-level variations to perform byte-by-byte key recovery: correct key prefixes take slightly longer to reject than completely wrong keys. This is a classic example of remote timing side-channel attacks against authentication systems, similar to historical vulnerabilities in password verification, HMAC validation, and cryptographic token comparison routines. The fix in commit 2f68e16 likely replaces vulnerable comparison logic with constant-time comparison functions (such as hmac.compare_digest() in Python) that always perform full-length comparisons regardless of where differences occur.

RemediationAI

Upgrade RELATE to commit 2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb or later, available at https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb. The patch replaces timing-vulnerable comparison operations with constant-time equivalents in the authentication key validation logic. For production deployments, pull the latest code from the main branch or apply the specific commit as a patch. If immediate patching is not feasible, implement network-level rate limiting to restrict authentication attempts to a maximum of 10 requests per IP address per minute, which significantly increases the time required for statistical timing analysis from hours to weeks. Additionally, deploy a web application firewall (WAF) with behavior-based anomaly detection to flag IP addresses performing repetitive authentication failures with consistent timing patterns. Note that rate limiting will impact legitimate users who mistype credentials multiple times and may require user support process adjustments. As a detection measure, enable detailed authentication logging with microsecond timestamps and monitor for patterns of rapid authentication failures from single source IPs, which may indicate timing attack reconnaissance.

Share

EUVD-2026-28656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy