Description
HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.
Published: 2026-01-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The disclosed flaw permits any authenticated author with at least one submission on a HotCRP site to use the document API to download any attached PDF or file belonging to any other submission. This creates unauthorized disclosure of potentially sensitive research papers, resulting in a confidentiality breach for all participants.

Affected Systems

HotCRP 3.1 released by the Kohler group was affected from commit aa20ef288828b04550950cf67c831af8a525f508 up to but not including the fix in commit ceacd5f1476458792c44c6a993670f02c984b4a0. No other HotCRP versions were explicitly mentioned as vulnerable.

Risk and Exploitability

The CVSS base score is 6.5, indicating moderate severity, while the EPSS is less than 1%, suggesting a low likelihood of exploitation. The vulnerability was not listed in the CISA KEV catalog. An attacker would need only valid author credentials and the ability to access the HotCRP document API, which allows them to retrieve any submission document regardless of ownership.

Generated by OpenCVE AI on April 18, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HotCRP to the latest released version that contains commit ceacd5f1476458792c44c6a993670f02c984b4a0 or later.
  • Validate that document access is correctly restricted to the submission owner or authorized reviewers by reviewing ACL configurations and ensuring the updated code path is enforced.
  • Monitor and audit document download activity for anomalous access patterns, especially from authors without relevant submissions.

Generated by OpenCVE AI on April 18, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hotcrp:hotcrp:3.1:*:*:*:*:*:*:*

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hotcrp
Hotcrp hotcrp
Vendors & Products Hotcrp
Hotcrp hotcrp

Mon, 19 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.
Title HotCRP vulnerable to exposure of submitted documents
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Hotcrp Hotcrp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:40:57.565Z

Reserved: 2026-01-16T21:02:02.900Z

Link: CVE-2026-23878

cve-icon Vulnrichment

Updated: 2026-01-20T21:40:55.263Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T19:16:04.963

Modified: 2026-02-05T18:39:14.693

Link: CVE-2026-23878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data