CVE-2026-23878 is a vulnerability classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) affecting HotCRP, a widely used conference review software. The flaw exists in the document API, where authors who have at least one submission on a HotCRP site can exploit the API to download any documents associated with any submission, not limited to their own. This means an authenticated author can access PDFs and attachments belonging to other submissions, breaching confidentiality boundaries within the system. The vulnerability was introduced starting from commit aa20ef288828b04550950cf67c831af8a525f508 and was fixed in commit ceacd5f1476458792c44c6a993670f02c984b4a0. The CVSS v3.1 score is 6.5 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges of an authenticated author, but no user interaction. The impact is high on confidentiality, with no effect on integrity or availability. No public exploits have been reported, but the vulnerability poses a significant risk to the confidentiality of sensitive academic and research documents managed by HotCRP. The patch should be applied immediately to prevent unauthorized document access.

For European organizations, especially academic institutions, research bodies, and conference organizers using HotCRP, this vulnerability risks unauthorized disclosure of sensitive research papers, unpublished data, and confidential peer review documents. Such leakage can lead to intellectual property theft, reputational damage, and potential legal consequences under GDPR due to improper handling of sensitive personal or research data. The breach of confidentiality can undermine trust in the peer review process and academic integrity. Since HotCRP is used globally, European entities hosting conferences or managing submissions via HotCRP are directly impacted. The requirement for authenticated author privileges limits the attack surface but does not eliminate risk, as insider threats or compromised author accounts could exploit this flaw. The absence of known exploits in the wild suggests limited active exploitation but does not preclude targeted attacks.

European organizations should immediately verify their HotCRP version and upgrade to the patched commit ceacd5f1476458792c44c6a993670f02c984b4a0 or later. If upgrading is not immediately possible, restrict author permissions and monitor document API access logs for unusual activity. Implement strict access controls and multi-factor authentication for author accounts to reduce risk of account compromise. Conduct regular audits of submission and document access patterns to detect anomalies. Educate users about the risk of credential theft and insider threats. Additionally, consider isolating HotCRP instances within secure network segments and applying web application firewalls with rules to detect abnormal API requests. Prompt patch management and vulnerability scanning should be part of ongoing security hygiene.