Description
HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.
Published: 2026-05-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HireFlow 1.2 suffers from an incorrect access control flaw on the /candidate/ and /interview/ endpoints, allowing any authenticated user to retrieve the data of other users by simply iterating the object IDs supplied in the URL path. This mis‑authorization leads to a horizontal privilege escalation that results in a full data breach of all candidate profiles and interview notes. The weakness corresponds to role‑based privilege escalation (CWE-639).

Affected Systems

The vulnerable product is HireFlow, an interview management system available on GitHub and SourceCodester, version 1.2. Any deployment of this version that exposes the described endpoints is affected; no other vendors or versions are listed.

Risk and Exploitability

Given that authentication is required but the application fails to verify ownership or role-based permissions, the exploitation is straightforward—an attacker only needs valid credentials and can then enumerate IDs to access any record. The CVSS score of 8.1 further confirms high severity. The lack of EPSS data and KEV status means the exploitation probability is not formally quantified, but the simple attack path and potential for complete data exposure signify a high severity risk.

Generated by OpenCVE AI on May 11, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched version of HireFlow that enforces proper ownership checks on /candidate/ and /interview/ endpoints.
  • Implement explicit role‑based permission checks so that only record owners or authorized personnel can read, edit, or delete candidate and interview data.
  • Enable logging and monitoring for unusual ID enumeration patterns on these endpoints to detect potential abuse.

Generated by OpenCVE AI on May 11, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Stratonwebdesigners
Stratonwebdesigners hireflow
Vendors & Products Stratonwebdesigners
Stratonwebdesigners hireflow

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Incorrect Access Control in HireFlow 1.2 Enables Unauthorized Data Access
Weaknesses CWE-284

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Incorrect Access Control in HireFlow 1.2 Enables Unauthorized Data Access
Weaknesses CWE-284

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.
References

Subscriptions

Stratonwebdesigners Hireflow
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T18:21:13.741Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38568

cve-icon Vulnrichment

Updated: 2026-05-11T18:21:00.258Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T18:16:32.970

Modified: 2026-05-12T15:05:31.120

Link: CVE-2026-38568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:28Z

Weaknesses