Openreview Statement Regarding API Security Incident (openreview.net)

OpenReview disclosed a security vulnerability in its API that briefly exposed the real identities of normally anonymous roles (reviewers, authors, area chairs) across venues. The bug—reported by the ICLR 2026 Workflow Chair at 10:09 AM EST—stemmed from the profiles/search endpoint: queries using the "group" parameter could return identity information without proper authorization checks. OpenReview acknowledged the report at 10:12 AM and deployed a software patch to api.openreview.net by 11:00 AM (and to api2.openreview.net at 11:08 AM); Program and Workflow Chairs were notified of the fix by 11:10 AM. The team is now analyzing API logs to determine what was probed, which accounts made large-scale queries, and will notify affected users and relevant law enforcement as needed. This matters for the AI/ML community because anonymous peer review underpins fair conference evaluation—deanonymization risks bias, retaliation, doxxing, and erosion of trust across major venues. Technically, the flaw was an authorization logic gap in a search endpoint (improper handling of the "group" parameter) rather than a broader database breach, but it still could enable mass harvesting of identities. OpenReview warns that exploiting or sharing leaked information violates its Terms of Use and may lead to account suspension; it urges ethical reporting of bugs and promises further detailed reports and security protocol reviews in the coming days.