VYPR
← All advisories
High severityNVD Advisory· Published May 27, 2026

CVE-2026-47161

CVE-2026-47161

Description

RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sandbox, this allows an authenticated student to achieve full Remote Code Execution (RCE) on the host system. Commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RELATE LMS prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb uses an insecure Celery pickle serializer and lacks network isolation, allowing authenticated students to achieve RCE on the host.

Vulnerability

RELATE LMS, a web-based courseware package, configures its Celery workers to accept and deserialize untrusted pickle data prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb [1]. The file relate/settings.py explicitly sets CELERY_ACCEPT_CONTENT = ["pickle", "json"] and CELERY_TASK_SERIALIZER = "pickle" [1]. Additionally, the code execution sandbox used for evaluating student code (e.g., in course.page.code.request_run) omits the network_disabled=True parameter, allowing containerized code to communicate with the host's internal network [1].

Exploitation

An attacker who is an authenticated student can submit malicious Python code via a PythonCodeQuestion that lacks network isolation [1]. This code can connect directly to the Redis or RabbitMQ message broker (accessible on the internal network) and push a crafted Celery task containing a pickle payload [1]. The proof-of-concept demonstrates building a pickled body with a __reduce__ method that executes an arbitrary system command via os.system, then sending it to the broker using the raw RESP protocol [1]. No external dependencies are required; the entire exploit is achieved from within the sandboxed container [1].

Impact

Successful exploitation results in Remote Code Execution (RCE) on the host server running the Celery worker [1]. The attacker gains arbitrary command execution at the privilege level of the Celery worker process, which typically has significant access to the host system. This can lead to full compromise of the RELATE instance and underlying infrastructure [1].

Mitigation

The vulnerability is fixed in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, which removes pickle from the accepted content types and serializer [2]. Operators should upgrade to a version containing this commit immediately [2]. A workaround, if upgrading is not immediately possible, is to manually edit relate/settings.py to set CELERY_ACCEPT_CONTENT = ["json"] and CELERY_TASK_SERIALIZER = "json", and ensure that all code-execution sandboxes include network_disabled=True [1].

References
  1. Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization
  2. Celery: don't accept pickle tasks · inducer/relate@d66ba56

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Inducer/Relatereferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: < commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb

Patches

1
d66ba5659b45

Celery: don't accept pickle tasks

https://github.com/inducer/relateAndreas KloecknerMay 18, 2026via text-mined
commit
1 file changed · +1 1
  • relate/settings.py+1 1 modified
    @@ -312,7 +312,7 @@
 
     CELERY_BROKER_URL = "amqp://"
 
-CELERY_ACCEPT_CONTENT = ["pickle", "json"]
+CELERY_ACCEPT_CONTENT = ["json"]
 CELERY_TASK_SERIALIZER = "json"
 # (pickle is buggy in django-celery-results 1.0.1)
 # https://github.com/celery/django-celery-results/issues/50

Vulnerability mechanics

Root cause

"Celery is configured to accept and deserialize untrusted pickle data, and the Docker sandbox lacks network isolation, allowing an attacker to inject a malicious pickle payload into the broker queue."

Attack vector

An attacker who can reach the Celery message broker (Redis/RabbitMQ) can push a crafted pickle payload to the broker queue. The Celery worker deserializes the untrusted pickle data, triggering `__reduce__` to execute arbitrary system commands [ref_id=1]. Because the Docker sandbox for student code evaluation lacks `network_disabled=True`, an authenticated student can submit code that connects to the host's internal broker (e.g., `redis://127.0.0.1:6379/0`) and inject a malicious Celery task, achieving full Remote Code Execution on the host server [ref_id=1].

Affected code

The vulnerability is in `relate/settings.py`, where Celery is configured with `CELERY_ACCEPT_CONTENT = ["pickle", "json"]` and `CELERY_TASK_SERIALIZER = "pickle"` [patch_id=2749083]. Additionally, `course.page.code.request_run` lacks `network_disabled=True` when spawning Docker containers for student code evaluation, allowing sandboxed code to reach the internal message broker [ref_id=1].

What the fix does

The fix removes `"pickle"` from `CELERY_ACCEPT_CONTENT` in `relate/settings.py`, changing the list from `["pickle", "json"]` to `["json"]` [patch_id=2749083]. This prevents Celery workers from deserializing pickle-formatted tasks, eliminating the arbitrary code execution vector via `__reduce__`. The advisory also notes that the Docker sandbox should be configured with `network_disabled=True` to prevent sandboxed code from reaching the broker, though this change is not shown in the provided patch [ref_id=1].

Preconditions

  • networkAttacker must be able to reach the Celery message broker (Redis/RabbitMQ) — either directly from the host network or via the Docker sandbox that lacks network isolation
  • authAttacker must be an authenticated user capable of submitting code (a student) if exploiting via the sandbox, or have network access to the broker otherwise
  • configCelery worker must be configured with pickle deserialization enabled (the default before the fix)

Reproduction

Set up a RELATE instance with Celery and a Redis broker. Exploit the missing network isolation in a `PythonCodeQuestion` (or directly from the host) to run a Python script that connects to Redis via the raw RESP protocol and pushes a crafted Celery task. The script (provided in [ref_id=1]) creates an `Exploit` class with `__reduce__` that executes `whoami > /tmp/whoami_emreefedogan.txt`, serializes it as a Celery message, and sends it to the broker via `LPUSH` on the `celery` queue. Once the Celery worker consumes the task, it deserializes the pickle payload and executes the command; verify by checking for `/tmp/whoami_emreefedogan.txt` [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.