{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26717", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-26T19:11:04.934Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-25T16:23:19.179Z"}, "descriptions": [{"lang": "en", "value": "An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/openfun/richie/commit/a1b5bbda3403d7debb466c303a32852925fcba5f"}, {"url": "https://github.com/Rickidevs/CVE-2026-26717"}, {"url": "https://medium.com/@ordogh/cve-2026-26717-hmac-timing-attack-in-openfun-richie-lms-f04377efe83d?postPublishedType=repub"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-208", "lang": "en", "description": "CWE-208 Observable Timing Discrepancy"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T19:10:20.591862Z", "id": "CVE-2026-26717", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:11:04.934Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26717", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T19:10:20.591862Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:05:51.701Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/openfun/richie/commit/a1b5bbda3403d7debb466c303a32852925fcba5f"}, {"url": "https://github.com/Rickidevs/CVE-2026-26717"}, {"url": "https://medium.com/@ordogh/cve-2026-26717-hmac-timing-attack-in-openfun-richie-lms-f04377efe83d?postPublishedType=repub"}], "descriptions": [{"lang": "en", "value": "An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-25T16:23:19.179Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26717", "state": "PUBLISHED", "dateUpdated": "2026-02-26T19:11:04.934Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies"}, {"lang": "es", "value": "Un problema en OpenFUN Richie (LMS) en src/richie/apps/courses/api.py. La aplicaci\u00f3n utiliz\u00f3 el operador == de tiempo no constante para la verificaci\u00f3n de firmas HMAC en la funci\u00f3n sync_course_run_from_request. Esto permite a atacantes remotos forjar firmas v\u00e1lidas y eludir la autenticaci\u00f3n midiendo las discrepancias en el tiempo de respuesta."}], "id": "CVE-2026-26717", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-25T17:25:39.293", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Rickidevs/CVE-2026-26717"}, {"source": "cve@mitre.org", "url": "https://github.com/openfun/richie/commit/a1b5bbda3403d7debb466c303a32852925fcba5f"}, {"source": "cve@mitre.org", "url": "https://medium.com/@ordogh/cve-2026-26717-hmac-timing-attack-in-openfun-richie-lms-f04377efe83d?postPublishedType=repub"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "richie", "vendor": "openfun"}], "analysis": {"en": {"generated_at": "2026-04-18T10:51:14.915731+00:00", "value": {"mitigation_remediation": ["Apply the patch introduced in commit a1b5bbda3403d7debb466c303a32852925fcba5f to use a constant\u2011time comparison for HMAC verification.", "If the patch cannot be applied immediately, disable or restrict the sync_course_run_from_request endpoint to prevent unauthenticated access.", "Review and enforce strict access controls on all API endpoints that rely on HMAC signatures, ensuring that only legitimate requests are processed.", "Regularly audit authentication mechanisms to detect and remediate any timing variations in future updates."], "summary": {"action": "Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "This flaw affects deployments of OpenFUN Richie LMS where the sync_course_run_from_request endpoint is enabled. The specific code path is located in src/richie/apps/courses/api.py. A remediation commit (a1b5bbda3403d7debb466c303a32852925fcba5f) has been released to replace the comparison with a constant\u2011time routine. No affected version information is available.", "description_and_impact": "The vulnerability resides in the HMAC signature verification in the sync_course_run_from_request function of OpenFUN Richie LMS. A non\u2011constant\u2011time comparison operator is used, which permits an attacker to measure response times and deduce a correct signature. With a forged signature the attacker can bypass authentication and perform actions that are normally restricted to authenticated users.", "risk_and_exploitability": "The CVSS score is 4.8, representing a medium severity issue, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote over a network, requiring an attacker to sacrifice a request to the sync_course_run_from_request endpoint to time the response and forge a valid HMAC. This allows unauthorized access to protected resources or actions within the LMS. The likelihood of exploitation is low according to current metrics, but the impact of bypassing authentication warrants timely resolution."}}}}, "created": "2026-02-26T13:18:27.974092+00:00", "title": "HMAC Timing Attack Enabling Signature Forgery in OpenFUN Richie LMS", "updated": "2026-04-18T11:00:05.737600+00:00", "vendors": ["openfun", "openfun$PRODUCT$richie"]}