Compliance Impact

The vulnerability allows unauthorized access to confidential documents associated with any submission on a HotCRP site by authors who should only access their own submissions. This unauthorized disclosure of confidential information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data to protect confidentiality. Therefore, the vulnerability poses a risk to compliance with these standards by enabling data leaks. [1, 3]

Useful 0 Not Useful 0

Executive Summary

CVE-2026-23878 is a vulnerability in HotCRP conference review software where authors with at least one submission could exploit the document API to download any documents (PDFs, attachments) associated with any submission, not limited to their own. This occurs due to insufficient validation and access control in handling document version requests, allowing unauthorized access to confidential documents. The vulnerability was introduced in October 2025 and fixed in a later commit that improved validation, access control, and database queries to prevent unauthorized document leaks. [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of confidential documents associated with submissions on a HotCRP site. Authors could access documents from other submissions, potentially exposing sensitive or private information. The impact is high on confidentiality but does not affect integrity or availability. This could result in data breaches and loss of trust in the system. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring or testing access to the HotCRP document API endpoints, specifically attempts by authors with submission access to download documents not associated with their own submissions. Since the vulnerability involves unauthorized access to documents via the document API, you can detect it by checking logs for unusual API calls to endpoints like `/api/documenthistory` or other document download endpoints with parameters referencing documents outside the user's submissions. Commands to detect such activity could include searching web server logs or API access logs for suspicious requests. For example, using grep on access logs: `grep '/api/documenthistory' /var/log/nginx/access.log | grep -v 'author_submissions'` (adjusting for your log format and filtering criteria). Additionally, you can use network monitoring tools to detect unusual GET requests to document API endpoints from author-level accounts. However, no specific detection commands are provided in the resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading HotCRP to version 3.2 or later, where the vulnerability is fixed. The fix involves improved validation and access control in the document API to prevent unauthorized document downloads. If upgrading immediately is not possible, restrict author-level access to the document API endpoints or disable the document API temporarily to prevent exploitation. Additionally, review and apply the patch from commit ceacd5f1476458792c44c6a993670f02c984b4a0 which fixes the vulnerability by enforcing strict version and access controls on document requests. [1, 3]

Useful 0 Not Useful 0