Home / Vulnerability Intelligence / CVE-2026-38568

CVE-2026-38568 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 12, 2026

HireFlow - Broken Access Control

Published: May 11, 2026Updated: May 12, 2026Remote Exploitable

Overview

HireFlow v1.2 contains an incorrect access control vulnerability caused by lack of object-level authorization on /candidate/<id> and /interview/<id> endpoints, letting authenticated users access other users' data, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated users can access all other users' candidate profiles and interview notes, leading to full data breach and horizontal privilege escalation.

Mitigation

Update to the latest version with proper object-level authorization checks.

References

https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html
https://github.com/StratonWebDesigners/HireFlow
https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38568

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-38568
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: rejected

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N