CVE-2026-26717

Published: Feb 25, 2026

Modified: Feb 26, 2026

PUBLISHED

Description

An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/openfun/richie/commit/a1b5bbda3403d7debb466c303a32852925fcba5f

https://github.com/Rickidevs/CVE-2026-26717

https://medium.com/@ordogh/cve-2026-26717-hmac-timing-attack-in-openfun-richie-lms-f04377efe83d?postPublishedType=repub

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-26717

Description

Affected Products

References