CVE-2026-38568

Name of the Vulnerable Software and Affected Versions HireFlow version 1.2

Description Incorrect Access Control allows authenticated users to perform horizontal privilege escalation. The application fails to enforce object-level authorization on the "/candidate/" and "/interview/" endpoints. Route handlers retrieve records using the user-supplied id without verifying if the requester is the owner or possesses an authorized role, potentially leading to a full data breach of all candidate profiles and interview notes.

Recommendations Implement object-level authorization checks for the "/candidate/" and "/interview/" endpoints to ensure users can only access records they are authorized to view.