Vulnerability Description
HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/StratonWebDesigners/HireFlow
- https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-
- https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-intervie
FAQ
What is CVE-2026-38568?
CVE-2026-38568 is a vulnerability with a CVSS score of 8.1 (HIGH). HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve r...
How severe is CVE-2026-38568?
CVE-2026-38568 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-38568?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.