HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used to sign session cookies, allowing unauthenticated attackers who know the public source value to forge cookies containing role=admin and user_id values and bypass authentication. The advisory lists version 1.3 as fixed.
Metrics
Affected Vendors & Products
References
History
Thu, 16 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Stratonwebdesigners
Stratonwebdesigners hireflow |
|
| Vendors & Products |
Stratonwebdesigners
Stratonwebdesigners hireflow |
Thu, 16 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used to sign session cookies, allowing unauthenticated attackers who know the public source value to forge cookies containing role=admin and user_id values and bypass authentication. The advisory lists version 1.3 as fixed. | |
| Title | HireFlow: Use of Hard-coded Credentials | |
| Weaknesses | CWE-798 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T17:03:00.629Z
Reserved: 2026-05-11T21:40:08.176Z
Link: CVE-2026-45336
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T19:00:04Z