CVE-2026-23878 is a vulnerability classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) affecting HotCRP, a widely used conference review management software. The issue arises from insufficient access control in the document API, which allowed authors who had at least one submission on a HotCRP site to download any documents associated with any submission, not just their own. This includes PDFs and other attachments that may contain sensitive or confidential information related to other authors' submissions. The vulnerability was introduced starting from commit aa20ef288828b04550950cf67c831af8a525f508 and was present until it was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. Exploitation requires the attacker to have author-level privileges on the platform, but no additional user interaction is needed. The CVSS v3.1 base score is 6.5, indicating a medium severity with a network attack vector, low attack complexity, and privileges required. The impact is primarily on confidentiality, as unauthorized access to sensitive documents can lead to information disclosure, potentially compromising the integrity of the peer review process and intellectual property. There are no known exploits in the wild at this time. The vulnerability underscores the critical need for strict access control mechanisms in collaborative academic software to prevent data leakage between users.

For European organizations, especially academic institutions, research centers, and conference organizers using HotCRP, this vulnerability poses a significant risk of unauthorized disclosure of sensitive submission documents. Such exposure could lead to intellectual property theft, breach of confidentiality agreements, and erosion of trust in the peer review process. The impact is heightened in Europe due to strict data protection regulations such as GDPR, where unauthorized data disclosure can result in legal penalties and reputational damage. Confidentiality breaches may also affect collaborations and funding opportunities. Since the vulnerability requires author-level access, insider threats or compromised author accounts could be leveraged to exploit this flaw. The lack of impact on integrity and availability limits the scope to data leakage, but the sensitivity of academic submissions makes this a critical concern for affected organizations.

European organizations should immediately verify their HotCRP installations and upgrade to the patched commit ceacd5f1476458792c44c6a993670f02c984b4a0 or later. If upgrading is not immediately feasible, implement strict access control policies restricting author privileges and monitor document API usage for anomalous access patterns. Conduct audits of user permissions to ensure only authorized authors have submission access. Employ network segmentation and application-layer firewalls to limit exposure of the HotCRP instance. Educate users about the importance of account security to prevent credential compromise. Additionally, implement logging and alerting on document downloads to detect potential exploitation attempts. Regularly review and update software dependencies and monitor vendor advisories for further patches or related vulnerabilities.