CVE-2026-45336
Received Received - Intake

Hard-Coded Secret Key in HireFlow Interview System

Vulnerability report for CVE-2026-45336, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used to sign session cookies, allowing unauthenticated attackers who know the public source value to forge cookies containing role=admin and user_id values and bypass authentication. The advisory lists version 1.3 as fixed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
stratonwebdesigners hireflow to 1.3 (exc)
stratonwebdesigners hireflow 1.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45336 is a critical vulnerability in HireFlow, an interview management system. It involves a hard-coded Flask secret key ('supersecret123') in app.py that signs session cookies. Attackers can forge valid session cookies with admin roles or arbitrary user IDs, bypassing authentication entirely.

Detection Guidance

Check if the application uses a hard-coded Flask secret key by inspecting app.py for values like 'supersecret123'. Search for 'secret_key' in the codebase. Verify if session cookies are signed with this key.

Impact Analysis

This vulnerability allows unauthenticated attackers to gain full admin access to the HireFlow system. They can manipulate session cookies to impersonate any user, including administrators, without valid credentials. This bypasses all authentication controls.

Compliance Impact

This vulnerability likely violates compliance requirements for data protection and access control, such as GDPR's principle of least privilege and HIPAA's access controls. Unauthorized admin access could lead to data breaches, unauthorized data access, or integrity violations, resulting in non-compliance penalties.

Mitigation Strategies

Upgrade to HireFlow version 1.3 or later to patch the vulnerability. If upgrading is not possible, regenerate the Flask secret key with a cryptographically secure random value and ensure it is not hard-coded in the source code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart