CVE-2026-26717

Name of the Vulnerable Software and Affected Versions OpenFUN Richie (LMS) (affected versions not specified)

Description The application uses a non-constant time comparison operator for HMAC signature verification within the sync course run from request function, located in src/richie/apps/courses/api.py. This allows attackers to potentially forge valid signatures and bypass authentication by observing response time differences. The vulnerable comparison is performed using the == operator. The API endpoint involved is not explicitly mentioned, but the issue resides within the course run synchronization functionality. The vulnerable parameter is the HMAC signature used for authentication.

Recommendations Replace the non-constant time comparison operator with a constant-time comparison function in the sync course run from request function.