CVE-2026-41588: CWE-208: Observable Timing Discrepancy in inducer relate
CVE-2026-41588 is a critical timing attack vulnerability in the RELATE web-based courseware package, specifically in the check_sign_in_key() function within course/auth. py. The flaw allows an attacker to observe timing discrepancies that could lead to information disclosure. This vulnerability affects versions prior to commit 2f68e16 and has been patched in that commit. The CVSS score is 9. 0, indicating a critical severity with high impact on confidentiality, integrity, and availability.
AI Analysis
Technical Summary
The RELATE courseware package contained a timing attack vulnerability (CWE-208) in the check_sign_in_key() function of course/auth.py. This vulnerability allowed attackers to exploit observable timing differences to potentially gain sensitive information. The issue was fixed in commit 2f68e16. The vulnerability has a CVSS v3.1 score of 9.0, reflecting its critical nature with network attack vector, high attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this timing attack vulnerability could lead to disclosure of sensitive authentication information, potentially allowing attackers to bypass authentication mechanisms. The vulnerability impacts confidentiality, integrity, and availability of the affected system. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability has been patched in commit 2f68e16 of the RELATE project. Users and administrators should update to this commit or a later version to remediate the issue. Since this is not a cloud service, remediation requires applying the patch to affected installations. Patch status is confirmed by the vendor commit reference.
CVE-2026-41588: CWE-208: Observable Timing Discrepancy in inducer relate
Description
CVE-2026-41588 is a critical timing attack vulnerability in the RELATE web-based courseware package, specifically in the check_sign_in_key() function within course/auth. py. The flaw allows an attacker to observe timing discrepancies that could lead to information disclosure. This vulnerability affects versions prior to commit 2f68e16 and has been patched in that commit. The CVSS score is 9. 0, indicating a critical severity with high impact on confidentiality, integrity, and availability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The RELATE courseware package contained a timing attack vulnerability (CWE-208) in the check_sign_in_key() function of course/auth.py. This vulnerability allowed attackers to exploit observable timing differences to potentially gain sensitive information. The issue was fixed in commit 2f68e16. The vulnerability has a CVSS v3.1 score of 9.0, reflecting its critical nature with network attack vector, high attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this timing attack vulnerability could lead to disclosure of sensitive authentication information, potentially allowing attackers to bypass authentication mechanisms. The vulnerability impacts confidentiality, integrity, and availability of the affected system. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability has been patched in commit 2f68e16 of the RELATE project. Users and administrators should update to this commit or a later version to remediate the issue. Since this is not a cloud service, remediation requires applying the patch to affected installations. Patch status is confirmed by the vendor commit reference.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-21T14:15:21.959Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fdff95cbff5d8610e6d702
Added to database: 5/8/2026, 3:21:57 PM
Last enriched: 5/8/2026, 3:36:40 PM
Last updated: 5/8/2026, 8:47:14 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.