HotCRP.com

Security notice 202601

16 January 2026 — This morning HotCRP.com experienced a security breach. An attacker exploited an API vulnerability to download documents submitted by other authors to CCS 2026. The attacker was able to download submitted PDFs and attachments for approximately 500 papers before they were stopped.

The attack allowed any author to download documents for any submission, but the attack could not be targeted at a specific submission. Attackers could not modify submission data and could not view or download submission metadata, such as authors, review identities, or review contents.

This vulnerability has been fixed in open source HotCRP and on HotCRP.com.

Based on an initial investigation, only CCS 2026 was subject to large-scale attack. We do not see evidence that other conferences suffered bulk downloads of submitted documents.

Separately, on the same day, Luca Di Bartolomeo and Philipp Mao of EPFL’s HexHive Lab (Mathias Payer, PI) reported a critical vulnerability that could allow remote code execution. This vulnerability has also been fixed. I am very grateful to Luca, Philipp, and the HexHive Lab for their responsible disclosure.

Vulnerable versions of open-source HotCRP should be updated as soon as possible, either using Git or by downloading the newly-released version 3.2. Open-source users are also urged to subscribe to HotCRP’s security alerts using GitHub’s Watch feature (subscribe to at All activity, or Custom > Security alerts).

HotCRP is trusted by researchers to protect their confidential data. I value that trust and take security seriously, and sincerely apologize for this breach.

If you know of any vulnerability in HotCRP or have questions or information about this incident, please contact me at ekohler@gmail.com or kohler@seas.harvard.edu. Security incidents may also be reported by opening a GitHub security advisory.

— Eddie Kohler

User conduct

HotCRP users are expected to use the system appropriately. Unauthorized information extraction from or modification of HotCRP.com sites violates both community norms and HotCRP’s code of conduct. Attacks and inappropriate sharing of vulnerabilities or signin credentials may lead to account suspension or termination and to further consequences, including escalation to ACM, IEEE, and other appropriate ethics boards. A user who discovers an apparent security bug on a HotCRP.com site must promptly report the issue and not share information about the bug with others. Our security policy explains this in more detail.

Vulnerability details

API vulnerability: Introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025, after v3.1), present in development versions, fixed in commit ceacd5f1476458792c44c6a993670f02c984b4a0 and in v3.2

CVE: CVE-2026-23878

RCE vulnerability: Introduced in commit 4674fcfbb76511072a1145dad620756fc1d4b4e9 (17 April 2024, after v3.0.0), present in development versions and v3.1, fixed in commit bfc7e0db15df6ed6d544a639020d2ce05a5f0834 and in v3.2

CVE: CVE-2026-23836