CVE-2026-45336
StratonWebDesigners · HireFlow
HireFlow versions 1.3 and earlier contain a hard-coded secret key in app.py, allowing unauthenticated attackers to forge session cookies and bypass authentication mechanisms.
Executive summary
A critical authentication bypass vulnerability in StratonWebDesigners HireFlow allows unauthenticated attackers to gain administrative access via forged session cookies.
Vulnerability
The application utilizes a hard-coded Flask secret key, which is used to sign session cookies. This vulnerability allows an unauthenticated attacker to generate valid, unauthorized session tokens, effectively bypassing all authentication controls and escalating privileges to the administrator level.
Business impact
This vulnerability carries a maximum CVSS score of 10.0, indicating a critical risk to the confidentiality, integrity, and availability of the system. Successful exploitation grants an attacker full administrative control over the interview management platform, potentially leading to unauthorized access to sensitive candidate data, manipulation of hiring processes, and full system compromise.
Remediation
Immediate Action: Update StratonWebDesigners HireFlow to version 1.3 or higher immediately to remediate the hard-coded credential flaw.
Proactive Monitoring: Review application logs for unusual session activity or authentication tokens that do not correlate with known user access patterns.
Compensating Controls: Deploy a Web Application Firewall with rules configured to detect and block suspicious session cookie formats or unauthorized administrative path access.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this flaw cannot be overstated, as it provides a trivial path to full administrative compromise. Organizations currently running HireFlow must prioritize the upgrade to version 1.3 immediately to eliminate this critical security gap.