CVE-2026-23946
📋 TL;DR
This critical vulnerability allows authenticated staff users in Tendenci CMS to execute arbitrary code on the server through unsafe Python pickle deserialization in the Helpdesk module's run_report() function. The vulnerability affects Tendenci versions 15.3.11 and below, but only impacts systems where the Helpdesk module is enabled (not enabled by default).
💻 Affected Systems
- Tendenci CMS
📦 What is this software?
Tendenci by Tendenci
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands as the www-data user, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Limited code execution within www-data user constraints, allowing file read access, limited file uploads, and potential privilege escalation through other vulnerabilities.
If Mitigated
No impact if Helpdesk module is disabled or proper access controls prevent staff users from accessing vulnerable endpoints.
🎯 Exploit Status
Exploitation requires authenticated staff access. The vulnerability is in run_report() function using pickle.loads() with user-controlled data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.3.12
Vendor Advisory: https://github.com/advisories/GHSA-jqmc-fxxp-r589
Restart Required: Yes
Instructions:
1. Backup your Tendenci installation and database. 2. Update to version 15.3.12 via pip: 'pip install tendenci==15.3.12'. 3. Restart your web server (Apache/Nginx) and Tendenci application server. 4. Verify the fix by checking version and testing Helpdesk functionality.
🔧 Temporary Workarounds
Disable Helpdesk Module
allCompletely disable the vulnerable Helpdesk module if not needed
Edit Tendenci settings to disable Helpdesk module or remove from INSTALLED_APPS
Restrict Staff Access
allLimit staff user accounts and implement strict access controls
Review and reduce staff user accounts
Implement IP whitelisting for admin interfaces
🧯 If You Can't Patch
- Disable the Helpdesk module completely in Tendenci settings
- Implement strict network segmentation and firewall rules to restrict access to Tendenci admin interfaces
🔍 How to Verify
Check if Vulnerable:
Check Tendenci version and verify if Helpdesk module is enabled. Version <=15.3.11 with Helpdesk enabled indicates vulnerability.Check Version:
python -c "import tendenci; print(tendenci.__version__)"Verify Fix Applied:
Verify version is 15.3.12 or higher and test Helpdesk report functionality to ensure no pickle deserialization errors.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /helpdesk/reports/
- Python pickle-related errors in application logs
- Suspicious command execution from www-data user
Network Indicators:
- Unusual traffic patterns to Helpdesk endpoints from staff accounts
- Large serialized data payloads to /helpdesk/reports/
SIEM Query:
source="tendenci_logs" AND (uri_path="/helpdesk/reports/" OR message="pickle" OR message="run_report")🔗 References
- https://docs.python.org/3/library/pickle.html#restricting-globals
- https://github.com/advisories/GHSA-jqmc-fxxp-r589
- https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1
- https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636
- https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e
- https://github.com/tendenci/tendenci/issues/867
- https://github.com/tendenci/tendenci/releases/tag/v15.3.12
- https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3
