Ctrl + K
/ news / CVE
CVEPublished 2026-05-11Modified 2026-05-121 article on news6 live referencesNVD data

CVE-2026-38568

Vulnerability data via NVD (ingested)

CVSS v3.1
8.1
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS percentile
Weaknesses (CWE)
CWE-639Authorization Bypass Through User-Controlled Key
Description

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.

Timeline
Published 2026-05-11
Modified 2026-05-12

External references

NVDMITREExploit-DBGitHub PoCSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-38568
Hosts Shodan has explicitly fingerprinted as vulnerable.
More intel sources (5)
Shodan report
vuln:CVE-2026-38568
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-38568
Censys host search filtered to this CVE id.
grep.app
CVE-2026-38568
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-38568
GitHub code search for direct mentions.
Google dork
"CVE-2026-38568" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (1)

CVE-2026-385681 repo
hijackedamygdala/CVE-Disclosuresunknown
★ 2·updated 1mo ago
Articles on news mentioning CVE-2026-38568