cvedb.io
CVE-2026-26717
MEDIUM · CVSS 4.8
EPSS exploitation probability: 0%
Published 2026-02-25T17:25:39.293 · Last modified 2026-06-17T10:26:15.757

Summary

An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.