HackerOne Disclosed Reports - 2026-02-03

Low
resolved

Previous commentor on post can still comment even after comment permission is changed to disabled

Bug reported by Allen John was disclosed at February 3, 2026, 9:30 am   |   Improper Access Control - Generic

A logic error existed in the comment permission system that allowed users who had previously commented on a post to continue posting additional comments even after the post owner disabled commenting functionality. The vulnerability occurred when an account created a post with comments enabled, another account posted a comment, and then the original poster disabled comments. Users who had commented before the restriction was applied retained the ability to add new comments, bypassing the intended access control mechanism. This represented an improper access control vulnerability where the system failed to properly enforce updated permission settings, affecting the moderation controls that post owners relied on to manage interactions on their content.

Medium
resolved

Improper Access Control - Access to "Active Hiring" (Premium feature) filter results

Bug reported by minex627 was disclosed at February 3, 2026, 9:21 am   |   Improper Access Control - Generic

An access control vulnerability was identified in LinkedIn's people search functionality that allowed unauthorized access to premium "Active Hiring" filter results. The vulnerability was found in the GraphQL API endpoint where premium feature restrictions were not properly enforced, allowing users without an active LinkedIn Premium subscription to bypass the paywall and access complete search results. A simplified exploitation method was also discovered through URL manipulation to access additional premium results without technical knowledge. The flaw represented an improper access control issue where business logic failed to consistently enforce subscription-based restrictions across different access vectors.