CVE-2026-47161

RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization

Assigner: GitHub_M
Reserved: 18.05.2026 Published: 27.05.2026 Updated: 28.05.2026

RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sandbox, this allows an authenticated student to achieve full Remote Code Execution (RCE) on the host system. Commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb fixes the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	inducer
Product	relate
Versions	Version < d66ba5659b459bf1ba56b7109b5f9ecf197cbefb is affected

Vendor

inducer

Product

relate

Versions

Version < d66ba5659b459bf1ba56b7109b5f9ecf197cbefb is affected

References

Problem Types

CWE-502: Deserialization of Untrusted Data CWE

CVE-2026-47161 PUBLISHED

RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization

Metrics

Product Status

References

Problem Types