Description
GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to job data.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GoJobs, a REST API for a job board, exposes an endpoint that returns job details without enforcing authentication or proper authorization checks. This flaw, an Insecure Direct Object Reference (IDOR), allows an attacker to modify the job identifier in the request and retrieve information about any job record. The vulnerability results in unauthorized disclosure of job data, compromising confidentiality but not impacting integrity or availability, and is classified under CWE‑284 (Missing Authentication) and CWE‑639 (Privilege Dropping). The CVSS score of 5.3 indicates a medium severity.

Affected Systems

The affected system is the GoJobs application maintained by Karnop. No specific version information is provided, implying that all releases lacking mitigation controls may be vulnerable.

Risk and Exploitability

The risk level is moderate, as reflected by the CVSS score. EPSS data is not available, and the vulnerability is not listed in CISA KEV, so the likelihood of exploitation is uncertain but cannot be ruled out. Attackers can exploit the flaw by crafting unauthenticated HTTP requests to the job retrieval endpoint, manipulating the job identifier to access any job record. Without proper authentication and authorization, the vulnerability remains exploitable in any environment where the endpoint is exposed. Mitigation is thus essential to prevent potential data leaks.

Generated by OpenCVE AI on May 12, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Require authentication for all job retrieval requests, preferably using JWT or API keys to ensure the caller is verified.
  • Implement authorization logic that checks whether the authenticated user has permission to view the requested job, thereby enforcing proper access controls.
  • Apply rate limiting and logging to detect and block suspicious ID manipulation attempts.
  • Keep the application updated by monitoring Karnop advisory channels for a vendor patch once released.

Generated by OpenCVE AI on May 12, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Karnop
Karnop gojobs
Vendors & Products Karnop
Karnop gojobs

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to job data.
Title GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint
Weaknesses CWE-284
CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Karnop Gojobs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:32:15.465Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44341

cve-icon Vulnrichment

Updated: 2026-05-13T14:32:11.756Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T23:16:18.197

Modified: 2026-05-13T18:15:26.870

Link: CVE-2026-44341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:35:14Z

Weaknesses