{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23878", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.900Z", "datePublished": "2026-01-19T18:08:41.100Z", "dateUpdated": "2026-01-20T21:40:57.565Z"}, "containers": {"cna": {"title": "HotCRP vulnerable to exposure of submitted documents", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx"}, {"name": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508", "tags": ["x_refsource_MISC"], "url": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508"}, {"name": "https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0", "tags": ["x_refsource_MISC"], "url": "https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0"}], "affected": [{"vendor": "kohler", "product": "hotcrp", "versions": [{"version": ">= aa20ef288828b04550950cf67c831af8a525f508, < ceacd5f1476458792c44c6a993670f02c984b4a0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:08:41.100Z"}, "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0."}], "source": {"advisory": "GHSA-vh3x-xwj4-jvqx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T21:40:50.777606Z", "id": "CVE-2026-23878", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:40:57.565Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23878", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T21:40:50.777606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:40:55.263Z"}}], "cna": {"title": "HotCRP vulnerable to exposure of submitted documents", "source": {"advisory": "GHSA-vh3x-xwj4-jvqx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kohler", "product": "hotcrp", "versions": [{"status": "affected", "version": ">= aa20ef288828b04550950cf67c831af8a525f508, < ceacd5f1476458792c44c6a993670f02c984b4a0"}]}], "references": [{"url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx", "name": "https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508", "name": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0", "name": "https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:08:41.100Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23878", "state": "PUBLISHED", "dateUpdated": "2026-01-20T21:40:57.565Z", "dateReserved": "2026-01-16T21:02:02.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T18:08:41.100Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hotcrp:hotcrp:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "C49A46B9-6C68-43E5-9B50-3C271E236CDE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0."}], "id": "CVE-2026-23878", "lastModified": "2026-02-05T18:39:14.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-19T19:16:04.963", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:04:58.842591+00:00", "value": {"mitigation_remediation": ["Upgrade HotCRP to the latest released version that contains commit ceacd5f1476458792c44c6a993670f02c984b4a0 or later.", "Validate that document access is correctly restricted to the submission owner or authorized reviewers by reviewing ACL configurations and ensuring the updated code path is enforced.", "Monitor and audit document download activity for anomalous access patterns, especially from authors without relevant submissions."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "HotCRP 3.1 released by the Kohler group was affected from commit aa20ef288828b04550950cf67c831af8a525f508 up to but not including the fix in commit ceacd5f1476458792c44c6a993670f02c984b4a0. No other HotCRP versions were explicitly mentioned as vulnerable.", "description_and_impact": "The disclosed flaw permits any authenticated author with at least one submission on a HotCRP site to use the document API to download any attached PDF or file belonging to any other submission. This creates unauthorized disclosure of potentially sensitive research papers, resulting in a confidentiality breach for all participants.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating moderate severity, while the EPSS is less than 1%, suggesting a low likelihood of exploitation. The vulnerability was not listed in the CISA KEV catalog. An attacker would need only valid author credentials and the ability to access the HotCRP document API, which allows them to retrieve any submission document regardless of ownership."}}}}, "created": "2026-01-20T08:40:46.207681+00:00", "updated": "2026-04-18T05:15:15.975866+00:00", "vendors": ["hotcrp", "hotcrp$PRODUCT$hotcrp"]}