HotCRP Document API Unauthorized Access Vulnerability

Vulnerability

Patched

A vulnerability in HotCRP's document API allowed authors with submissions to download any documents associated with any submission on the site. This issue was present in HotCRP version 3.1 and was introduced in October 2025. The vulnerability has been patched in version 3.2.

Impact

Exploitation of this vulnerability allowed for unauthorized access to documents submitted by other authors, including PDFs and attachments.

Reproduction

To reproduce this vulnerability, an author with at least one submission on a HotCRP site could use the document API to request documents from any submission, bypassing authorization checks. This could be done by manipulating the API request to include the desired document's submission details.

Remediation

Users can upgrade to HotCRP version 3.2 to address this vulnerability.

Added: Jan 19, 2026, 7:22 PM

Updated: Jan 19, 2026, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.0

remediation

7.7

relevance

2.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.0

remediation

7.7

relevance

2.1

HotCRP Document API Unauthorized Access Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

HotCRP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating