ICLR 2026 Response to Security Incident
Summary
The ICLR 2026 peer review process experienced a significant security incident starting November 27, 2025, when a bug in OpenReview's API was exploited to leak author, reviewer, and area chair identities for over 10,000 ICLR submissions, representing 45% of the conference. Malicious actors circulated this data, leading to attempts at collusion, harassment, intimidation, and bribery targeting reviewers. The ICLR team, in collaboration with OpenReview, responded by fixing the bug, freezing review form editing and public comments, reverting reviews to their pre-discussion state, and reassigning all Area Chairs (ACs). New ACs are tasked with writing metareviews based on original reviews and discussions, supported by AC triplets for challenging cases and extended deadlines until January 6, with notification aims by January 26. The individual responsible for widely sharing the leaked data has been identified and banned, and papers involved in collusion attempts face desk rejection.
Key takeaway
For AI scientists and program chairs managing peer review systems, this incident highlights the critical need for stringent platform security and a well-defined incident response plan. Your systems must be resilient against identity leaks and prepared for rapid, decisive action like review freezes and reassignments to maintain academic integrity. Proactively sharing findings with other conferences can strengthen community-wide defenses against similar attacks.
Key insights
An OpenReview API exploit led to a major ICLR security breach, compromising anonymity and academic integrity.
Principles
- Academic integrity is paramount.
- Swift, decisive action is critical.
- Transparency builds community trust.
Method
The ICLR response involved freezing discussions, reassigning ACs, reverting reviews to a pre-breach state, and implementing AC triplets for support, aiming to preserve academic integrity while minimizing disruption.
In practice
- Implement robust API security audits.
- Develop rapid incident response protocols.
- Identify and ban malicious actors.
Topics
- ICLR 2026
- Peer Review Process
- Security Incident
- OpenReview API
- Academic Integrity
Best for: AI Scientist, CTO, VP of Engineering/Data, AI Researcher, Research Scientist, AI Ethicist
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by ICLR Blog.