CVE-2026-23878: HotCRP Information Disclosure Flaw

CVE-2026-23878 Overview

A sensitive data exposure vulnerability exists in HotCRP, widely-used conference review software, that allows authenticated authors with at least one submission to download any documents (PDFs, attachments) associated with any submission through the document API. This Insecure Direct Object Reference (IDOR) vulnerability enables unauthorized access to confidential peer review materials and submission documents.

Critical Impact

Authenticated users can access and download confidential documents from any submission on the HotCRP instance, potentially exposing unpublished research, reviewer comments, and sensitive conference materials.

Affected Products

• HotCRP versions from commit aa20ef288828b04550950cf67c831af8a525f508 to commit ceacd5f1476458792c44c6a993670f02c984b4a0
• Self-hosted HotCRP installations running vulnerable commits
• HotCRP instances with document API functionality enabled

Discovery Timeline

• 2026-01-19 - CVE CVE-2026-23878 published to NVD
• 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2026-23878

Vulnerability Analysis

This vulnerability represents a classic Insecure Direct Object Reference (IDOR) flaw in HotCRP's document API. The root cause lies in insufficient authorization checks when processing document retrieval requests. Any authenticated author with at least one submission could exploit the document API endpoints to access documents belonging to other submissions, bypassing the intended access control mechanisms.

The vulnerability affects the document handling functionality, specifically the API endpoints responsible for document retrieval. The authorization logic failed to properly verify that the requesting user had legitimate access rights to the specific document being requested, allowing horizontal privilege escalation between different authors' submissions.

Root Cause

The vulnerability stems from inadequate authorization enforcement in the document API implementation. The code failed to validate whether the authenticated user making the document request was actually authorized to access documents from that specific submission. The fix implemented in commit ceacd5f1476458792c44c6a993670f02c984b4a0 addresses this by properly validating document access permissions and fixing a document leak in the API handler.

Attack Vector

An attacker with valid credentials and at least one submission on the HotCRP platform could exploit this vulnerability by manipulating document API requests. By modifying parameters such as docid, hash, or version in API calls, an attacker could enumerate and download documents belonging to other submissions. This attack requires network access and low-privilege authentication (any author account).

The fix introduces proper document access validation as shown in the security patches:

// Security patch in src/api/api_document.php - Fix document leak
    }

    static function document(Contact $user, Qrequest $qreq) {
-    return false;
        $qreq->qsession()->commit();
        if (friendly_boolean($qreq->forceShow) !== false) {
            $user->add_overrides(Contact::OVERRIDE_CONFLICT);

Source: GitHub Commit

Additional changes to the document request handling improved parameter validation:

// Security patch in src/documentrequest.php - Fix document leak
    /** @param Qrequest $qreq */
    private function _apply_specific_version($qreq) {
        $this->cacheable = true;
+
+        // parse version parameters
+        $docid = null;
        if (isset($qreq->docid)) {
-            $key = "docid";
            $docid = stoi($qreq->docid) ?? 0;
            if ($docid <= 1) {
-                $this->error_at($key, "<0>Invalid document ID");
+                $this->error_at("docid", "<0>Invalid document ID");
                $this->_error_status = 400;
                return;
            }
-            $doc = $this->prow->document($this->dtype, $docid, true);
-        } else {
-            $key = isset($qreq->hash) ? "hash" : "version";
-            $dochash = HashAnalysis::hash_as_binary(trim($qreq->$key));
+        }
+
+        $dochash = $hashkey = null;
+        if (isset($qreq->hash) || isset($qreq->version)) {
+            $hashkey = isset($qreq->hash) ? "hash" : "version";
+            $dochash = HashAnalysis::hash_as_binary(trim($qreq->$hashkey));
            if (!$dochash) {
-                $this->error_at($key, "<0>Invalid document hash");
+                $this->error_at($hashkey, "<0>Invalid document hash");
                $this->_error_status = 400;
                return;

Source: GitHub Commit

Detection Methods for CVE-2026-23878

Indicators of Compromise

• Unusual volume of document API requests from a single user account
• Document access logs showing users downloading documents for submissions they don't own
• API requests with sequential or enumerated docid parameters indicating document enumeration attempts
• Access to documents outside of typical user behavior patterns

Detection Strategies

• Monitor web application logs for document API endpoint access patterns
• Implement alerting for users accessing documents outside their authorized submission scope
• Review access logs for bulk document download patterns from individual accounts
• Correlate document access requests with submission ownership records

Monitoring Recommendations

• Enable detailed logging for all document API endpoints
• Implement real-time monitoring for document access anomalies
• Set up alerts for document enumeration patterns (sequential docid requests)
• Audit document access logs periodically for unauthorized access attempts

How to Mitigate CVE-2026-23878

Immediate Actions Required

• Update HotCRP to a version containing commit ceacd5f1476458792c44c6a993670f02c984b4a0 or later
• Review document access logs for potential unauthorized access prior to patching
• Notify affected users if unauthorized document access is detected
• Consider temporarily restricting document API access until patching is complete

Patch Information

The vulnerability has been patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. Administrators should update their HotCRP installations to include this fix. For detailed patch information, refer to the GitHub Security Advisory GHSA-vh3x-xwj4-jvqx and the patch commit.

Workarounds

• Restrict access to the document API endpoints at the web server level until patching
• Implement additional authentication layers for document access
• Temporarily disable document history and versioning features if not critical
• Consider network-level access restrictions to limit API exposure

# Example: Restrict document API access via nginx (temporary workaround)
location ~ /api/document {
    # Allow only trusted IP ranges until patch is applied
    allow 192.168.1.0/24;
    deny all;
}