CVE-2026-23878

Name of the Vulnerable Software and Affected Versions HotCRP versions prior to ceacd5f1476458792c44c6a993670f02c984b4a0

Description HotCRP is conference review software. Authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The issue stems from insufficient access controls within the document API, allowing unauthorized document retrieval. The vulnerable functionality involves the use of the document API.

Recommendations Update HotCRP to commit ceacd5f1476458792c44c6a993670f02c984b4a0 or a later version to resolve the issue.