CVE-2026-23878
📋 TL;DR
This vulnerability in HotCRP conference review software allows authors with at least one submission to download any documents (PDFs, attachments) from any submission on the site, bypassing intended access controls. It affects HotCRP installations running versions between specific commits. The issue enables unauthorized access to potentially sensitive submission materials.
💻 Affected Systems
- HotCRP
📦 What is this software?
Hotcrp by Hotcrp
⚠️ Risk & Real-World Impact
Worst Case
Authors could download all submission documents, exposing confidential research, proprietary data, or personally identifiable information from all conference submissions.
Likely Case
Authors with malicious intent could access and download documents from other submissions they shouldn't have access to, potentially stealing intellectual property or sensitive information.
If Mitigated
With proper access controls and monitoring, unauthorized downloads could be detected and limited, though some data exposure might still occur before detection.
🎯 Exploit Status
Exploitation requires author-level access with at least one submission. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit ceacd5f1476458792c44c6a993670f02c984b4a0 or later
Vendor Advisory: https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx
Restart Required: Yes
Instructions:
1. Backup your HotCRP installation and database. 2. Update to commit ceacd5f1476458792c44c6a993670f02c984b4a0 or later. 3. Restart the web server/service. 4. Verify the fix by testing document access controls.
🔧 Temporary Workarounds
Disable document API for authors
allTemporarily restrict author access to the document API functionality
Modify HotCRP configuration to remove document API permissions from author roles
Implement additional access logging
allAdd comprehensive logging for all document download attempts
Configure HotCRP to log all document API requests with user and document identifiers
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to HotCRP instances
- Deploy a WAF with rules to detect and block suspicious document download patterns
🔍 How to Verify
Check if Vulnerable:
Check if your HotCRP installation is between commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0Check Version:
Check git log or version file in HotCRP installation directoryVerify Fix Applied:
Test with an author account that has at least one submission to ensure they cannot download documents from other submissions📡 Detection & Monitoring
Log Indicators:
- Multiple document downloads by single author account
- Author downloading documents from submissions they didn't create
- Unusual document access patterns
Network Indicators:
- High volume of document downloads from author accounts
- Document API requests with varying submission IDs from same user
SIEM Query:
source="hotcrp" AND (event="document_download" OR api="document") | stats count by user_id, submission_id | where count > 1