Skip to main content

HireFlow CVE-2026-38568

| EUVDEUVD-2026-29116 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-11 mitre GHSA-6fpq-hhv8-hc9f
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 19:45 vuln.today
CVSS changed
May 11, 2026 - 19:22 NVD
8.1 (HIGH)
CVE Published
May 11, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 00:00 nvd
HIGH 8.1

DescriptionCVE.org

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.

AnalysisAI

Broken object-level authorization in HireFlow v1.2 exposes all candidate profiles and interview notes to any authenticated user via direct object reference. Attackers with valid low-privilege credentials can enumerate integer IDs in /candidate/<id> and /interview/<id> endpoints to access the entire database, enabling full horizontal privilege escalation and complete data breach. No vendor patch identified at time of analysis. EPSS data not available; no evidence of active exploitation (not in CISA KEV).

Technical ContextAI

HireFlow is a Python-based interview management system distributed via SourceCodester. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where route handlers directly use user-supplied ID parameters to retrieve database records without implementing object-level authorization checks. The application architecture separates authentication (user must be logged in) from authorization (user can access only their own data), but only enforces the former. The CVSS vector (PR:L) confirms that authentication is required, but once authenticated, no role-based access control or ownership verification occurs. The sequential integer ID scheme makes enumeration trivial, converting a design flaw into a weaponizable data breach vector affecting all records system-wide.

RemediationAI

No vendor-released patch identified at time of analysis. Organizations must implement immediate compensating controls: (1) Add server-side authorization checks in route handlers for /candidate/<id> and /interview/<id> to verify requesting user owns the record or has admin role before database retrieval-consult researcher's disclosure at https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38568 for technical details; (2) Replace sequential integer IDs with UUIDs to eliminate enumeration, though this does not fix the root authorization flaw; (3) Enable comprehensive access logging on these endpoints and alert on rapid ID iteration patterns (e.g., >10 distinct IDs per user per minute); (4) Restrict application access to trusted networks via firewall rules or VPN, reducing attack surface to internal threats only-trade-off is loss of remote interviewer access. For production HR systems, consider migrating to mature alternatives with established security track records until HireFlow maintainers release an authoritative patch. Monitor GitHub repository for updates.

Share

CVE-2026-38568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy