Article:

At 10:09 AM EST today the OpenReview team was notified by the ICLR Workflow Chair of a security vulnerability in our API that allowed unauthorized access to the identities of normally anonymous roles (reviewers, authors, and area chairs) across venues through a specific profile search API endpoint. A software patch blocking unauthorized access was deployed within one hour of the initial report.

Timeline of Response:

• 10:09 AM: Issue reported by ICLR 2026 Workflow Chair
• 10:12 AM: OpenReview team acknowledged receipt and began investigation
• 11:00 AM: Fix deployed to api.openreview.net
• 11:08 AM: Fix deployed to api2.openreview.net
• 11:10 AM: Program Chairs and Workflow Chair notified of resolution

The vulnerability allowed queries to the profiles/search endpoint using the “group” parameter in an unintended fashion to return identity information without proper authorization checks.

Current Actions: We are conducting a thorough analysis of API call logs to understand the full extent of what sensitive information was probed and identify which accounts obtained this data (particularly those making large-scale queries). We will be contacting multi-national law enforcement agencies about consequences for this behavior. We will be notifying all affected deanonymized users by email and will issue additional detailed public reports about this incident in the days ahead.

Exploitation Consequences: Any use, exploitation, or sharing of the leaked information is a violation of OpenReview’s Terms of Use (https://openreview.net/legal/terms) and may result in OpenReview account suspension. Doxxing, harassment, or any form of retaliation (whether online or in person) will not be tolerated, and will result in maximum penalties defined by the Terms of Use. We note that OpenReview Terms of Use prohibit circumvention of intended data readability rules, and also require that “If any User discovers an apparent security bug in the OpenReview System, the User must report the bug promptly by email to info@openreview.net, and not share information about the bug with others.”

Publication venues may impose additional penalties as defined by their codes of conduct.

Looking forward:

If you have information about violations of our Terms of Use or have concerns about this incident, please contact the OpenReview Policy mailing list at policy@openreview.net.

We take this incident very seriously and are reviewing our security protocols to prevent similar issues in the future.

We deeply apologize for this vulnerability and thank the community members who reported it promptly, enabling our rapid response. We understand that author and reviewer anonymity are an essential pillar of a thriving peer review ecosystem, and we acknowledge that we have fallen short of our own and your expectations. We are committed to continuing to improve our system and service.

Good will, integrity, and thoughtful dialog in scientific communities is precious and delicate. We encourage everyone to uphold these norms by acting ethically, reporting concerns promptly, and supporting a culture where fairness and transparency can thrive. We all have a role to play in engaging one another with care, candor, and respect, especially in moments when our systems and norms are tested.

The OpenReview Team