Medium severity4.8NVD Advisory· Published Feb 25, 2026· Updated Apr 15, 2026

CVE-2026-26717

Description

An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
richiePyPI	< 3.3.0	3.3.0

Affected products

Openfun/Richiereferences

Patches

a1b5bbda3403

🔒️(backend) use constant-time comparison for signature

https://github.com/openfun/richieJonathan ReveilleJan 7, 2026via ghsa

commit

1 file changed · +4 −1

src/richie/apps/courses/api.py+4 −1 modified

@@ -2,6 +2,8 @@
 API endpoints for the courses app.
 """
 
+import hmac
+
 from django.conf import settings
 from django.core.cache import caches
 from django.db.models import Q
@@ -253,8 +255,9 @@ def sync_course_runs_from_request(request, version):
     if not authorization_header:
         return Response("Missing authentication.", status=403)
 
+    # Use `hmac.compare_digest` to prevent time attacks
     signature_is_valid = any(
-        authorization_header == get_signature(message, secret)
+        hmac.compare_digest(authorization_header, get_signature(message, secret))
         for secret in getattr(settings, "RICHIE_COURSE_RUN_SYNC_SECRETS", [])
     )

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000