CVE-2026-23946: Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization
(updated )
A critical deserialization vulnerability exists in Tendenci Helpdesk module (NOTE, by default, Helpdesk is NOT enabled), affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution (RCE) by an authenticated user with staff security level due to using Python’s pickle module on the helpdesk /reports/. The damage is contained to the user that your Tendenci application runs.
Key Finding: The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads().
Permission Scoping: The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions.
References
- docs.python.org/3/library/pickle.html
- github.com/advisories/GHSA-339m-4qw5-j2g3
- github.com/advisories/GHSA-jqmc-fxxp-r589
- github.com/tendenci/tendenci
- github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1
- github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636
- github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e
- github.com/tendenci/tendenci/issues/867
- github.com/tendenci/tendenci/releases/tag/v15.3.12
- github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3
- nvd.nist.gov/vuln/detail/CVE-2020-14942
- nvd.nist.gov/vuln/detail/CVE-2026-23946
Code Behaviors & Features
Detect and mitigate CVE-2026-23946 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →