Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.
AnalysisAI
Broken object-level authorization in HireFlow v1.2 exposes all candidate profiles and interview notes to any authenticated user via direct object reference. Attackers with valid low-privilege credentials can enumerate integer IDs in /candidate/<id> and /interview/<id> endpoints to access the entire database, enabling full horizontal privilege escalation and complete data breach. No vendor patch identified at time of analysis. EPSS data not available; no evidence of active exploitation (not in CISA KEV).
Technical ContextAI
HireFlow is a Python-based interview management system distributed via SourceCodester. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where route handlers directly use user-supplied ID parameters to retrieve database records without implementing object-level authorization checks. The application architecture separates authentication (user must be logged in) from authorization (user can access only their own data), but only enforces the former. The CVSS vector (PR:L) confirms that authentication is required, but once authenticated, no role-based access control or ownership verification occurs. The sequential integer ID scheme makes enumeration trivial, converting a design flaw into a weaponizable data breach vector affecting all records system-wide.
RemediationAI
No vendor-released patch identified at time of analysis. Organizations must implement immediate compensating controls: (1) Add server-side authorization checks in route handlers for /candidate/<id> and /interview/<id> to verify requesting user owns the record or has admin role before database retrieval-consult researcher's disclosure at https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38568 for technical details; (2) Replace sequential integer IDs with UUIDs to eliminate enumeration, though this does not fix the root authorization flaw; (3) Enable comprehensive access logging on these endpoints and alert on rapid ID iteration patterns (e.g., >10 distinct IDs per user per minute); (4) Restrict application access to trusted networks via firewall rules or VPN, reducing attack surface to internal threats only-trade-off is loss of remote interviewer access. For production HR systems, consider migrating to mature alternatives with established security track records until HireFlow maintainers release an authoritative patch. Monitor GitHub repository for updates.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29116
GHSA-6fpq-hhv8-hc9f