CVE-2026-23836
📋 TL;DR
CVE-2026-23836 is a critical remote code execution vulnerability in HotCRP conference review software. It allows authenticated users to execute arbitrary PHP code through inadequately sanitized formula generation. All HotCRP instances running vulnerable versions are affected.
💻 Affected Systems
- HotCRP
📦 What is this software?
Hotcrp by Hotcrp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.
Likely Case
Unauthorized data access, manipulation of conference reviews, privilege escalation, and potential lateral movement within the hosting environment.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though code execution would still be possible.
🎯 Exploit Status
Exploitation requires authenticated user access. The vulnerability is in formula generation code that inadequately sanitizes user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.2
Vendor Advisory: https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h
Restart Required: Yes
Instructions:
1. Backup your HotCRP installation and database. 2. Download HotCRP version 3.2 from the official repository. 3. Replace the existing installation with version 3.2 files. 4. Restart your web server (Apache/Nginx). 5. Verify the installation is working correctly.
🔧 Temporary Workarounds
Disable formula functionality
allTemporarily disable HotCRP formula generation features to prevent exploitation
# Modify HotCRP configuration to disable formula features
# Check HotCRP documentation for specific configuration options
Restrict user permissions
allLimit user access to formula-related functionality
# Review and modify user role permissions in HotCRP
# Remove formula creation/editing permissions from non-admin users
🧯 If You Can't Patch
- Implement strict network segmentation to isolate HotCRP instances
- Enable detailed logging and monitoring for suspicious formula-related activities
🔍 How to Verify
Check if Vulnerable:
Check if your HotCRP version is 3.1 with changes from April 2024 or later. Review the commit history for the problematic code changes.Check Version:
Check the HotCRP version in the software interface or review the source code version information.Verify Fix Applied:
Verify that HotCRP version is 3.2 or later. Check that the commits 4674fcfbb76511072a1145dad620756fc1d4b4e9 and bfc7e0db15df6ed6d544a639020d2ce05a5f0834 are applied.📡 Detection & Monitoring
Log Indicators:
- Unusual formula generation requests
- PHP execution errors in web server logs
- Suspicious user activity with formula features
Network Indicators:
- Unexpected outbound connections from HotCRP server
- Unusual patterns in HTTP requests to formula endpoints
SIEM Query:
source="web_server_logs" AND (uri="*formula*" OR uri="*eval*" OR uri="*exec*") AND status>=200