PT-2026-39656 · Hireflow · Hireflow

Hijackedamygdala

+1

·

Published

2026-05-11

·

Updated

2026-05-11

·

CVE-2026-38568

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions HireFlow version 1.2
Description Incorrect Access Control allows authenticated users to perform horizontal privilege escalation. The application fails to enforce object-level authorization on the "/candidate/" and "/interview/" endpoints. Route handlers retrieve records using the user-supplied id without verifying if the requester is the owner or possesses an authorized role, potentially leading to a full data breach of all candidate profiles and interview notes.
Recommendations Implement object-level authorization checks for the "/candidate/" and "/interview/" endpoints to ensure users can only access records they are authorized to view.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-38568

Affected Products

Hireflow