Unrated severityOSV Advisory· Published Jan 19, 2026· Updated Jan 20, 2026
HotCRP vulnerable to exposure of submitted documents
CVE-2026-23878
Description
HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508mitrex_refsource_MISC
- github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0mitrex_refsource_MISC
- github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.