CVE-2026-45336

StratonWebDesigners · HireFlow

HireFlow versions 1.3 and earlier contain a hard-coded secret key in app.py, allowing unauthenticated attackers to forge session cookies and bypass authentication mechanisms.

Executive summary

A critical authentication bypass vulnerability in StratonWebDesigners HireFlow allows unauthenticated attackers to gain administrative access via forged session cookies.

Vulnerability

The application utilizes a hard-coded Flask secret key, which is used to sign session cookies. This vulnerability allows an unauthenticated attacker to generate valid, unauthorized session tokens, effectively bypassing all authentication controls and escalating privileges to the administrator level.

Business impact

This vulnerability carries a maximum CVSS score of 10.0, indicating a critical risk to the confidentiality, integrity, and availability of the system. Successful exploitation grants an attacker full administrative control over the interview management platform, potentially leading to unauthorized access to sensitive candidate data, manipulation of hiring processes, and full system compromise.

Remediation

Immediate Action: Update StratonWebDesigners HireFlow to version 1.3 or higher immediately to remediate the hard-coded credential flaw.

Proactive Monitoring: Review application logs for unusual session activity or authentication tokens that do not correlate with known user access patterns.

Compensating Controls: Deploy a Web Application Firewall with rules configured to detect and block suspicious session cookie formats or unauthorized administrative path access.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this flaw cannot be overstated, as it provides a trivial path to full administrative compromise. Organizations currently running HireFlow must prioritize the upgrade to version 1.3 immediately to eliminate this critical security gap.