Skip to main content

Hireflow

1 CVEs product

Monthly

CVE-2026-45336 CRITICAL PATCH Act Now

Authentication bypass in HireFlow interview management system (versions 1.2 and earlier) lets unauthenticated remote attackers forge signed session cookies because app.py ships a hard-coded Flask secret_key. Since the key is present in the public source tree, any attacker can mint cookies asserting role=admin and arbitrary user_id values to gain full administrative access. Rated CVSS 10.0; no public exploit is identified at time of analysis, though the flaw is trivially reproducible from the disclosed source value.

Python Authentication Bypass Hireflow
NVD GitHub VulDB
CVSS 3.1
10.0
CVSS 10.0
CRITICAL PATCH Act Now

Authentication bypass in HireFlow interview management system (versions 1.2 and earlier) lets unauthenticated remote attackers forge signed session cookies because app.py ships a hard-coded Flask secret_key. Since the key is present in the public source tree, any attacker can mint cookies asserting role=admin and arbitrary user_id values to gain full administrative access. Rated CVSS 10.0; no public exploit is identified at time of analysis, though the flaw is trivially reproducible from the disclosed source value.

Python Authentication Bypass Hireflow
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy