Overview
CVE-2026-41588 is a critical timing attack vulnerability in RELATE, an open-source web-based courseware platform used by academic institutions for course management and examination. The flaw carries a CVSS v3.1 base score of 9.0 (Critical) and affects all versions prior to the patch introduced in commit 2f68e16.
The vulnerability exists in course/auth.py within the check_sign_in_key() function. The function compared authentication tokens using a non-constant-time string comparison, allowing an attacker to infer valid sign-in key values by measuring the response time differences of repeated requests.
Technical Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-41588 |
| CVSS Score | 9.0 (Critical) |
| Affected File | course/auth.py — check_sign_in_key() |
| Vulnerability Type | Timing Side-Channel (CWE-208) |
| Attack Vector | Network |
| Authentication | None required |
| Patched In | Commit 2f68e16 |
What Is a Timing Attack?
Timing attacks are a class of side-channel attacks where an adversary extracts secret information by measuring the time taken to perform cryptographic operations or comparisons. In authentication contexts, if a string comparison function returns early upon finding the first non-matching character (as standard equality operators do), an attacker can send many requests varying one character at a time and use the response latency to determine correct characters.
The Vulnerable Code Pattern
Standard Python string comparison (==) is not constant-time:
# Vulnerable pattern
if provided_key == stored_key:
# grant accessWhen provided_key[0] doesn't match stored_key[0], the comparison returns immediately. When provided_key[0] does match, the function continues to compare subsequent bytes, taking slightly longer. Over thousands of requests, this timing difference becomes measurable and exploitable.
Impact on RELATE
RELATE is used by universities and educational institutions to:
- Administer exams and quizzes
- Manage course materials and grades
- Authenticate students, instructors, and administrators via sign-in keys
Successful exploitation of this timing attack could allow an attacker to:
- Reconstruct valid sign-in keys character-by-character
- Gain unauthorized access to student or instructor accounts
- Access or manipulate exam content and grades
Remediation
The vulnerability was patched by replacing the non-constant-time comparison with Python's hmac.compare_digest(), which performs constant-time string comparison:
import hmac
# Patched pattern
if hmac.compare_digest(provided_key, stored_key):
# grant accessAll RELATE deployments should update to a version that includes commit 2f68e16 or later.
Immediate actions:
- Pull the latest RELATE source and apply the patch
- Rotate all existing sign-in keys as a precaution
- Review access logs for repeated authentication attempts from single IPs
- Consider rate-limiting authentication endpoints