Description
Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized document upload
Action: Patch Now
AI Analysis

Impact

Horilla HR software contains an improper access control flaw that allows any authenticated employee to upload documents on behalf of another employee. The vulnerability stems from insufficient server‑side validation of the employee_id parameter during file upload, enabling the attacker to place files in the context of other users. This can compromise confidentiality and integrity of employee records and provide a vector for data leakage or malicious file distribution.

Affected Systems

The affected product is Horilla – the open‑source HRMS provided by horilla‑opensource. Versions starting at 1.4.0 and up to, but not including, 1.5.0 are vulnerable. Version 1.5.0 includes the fix and is considered safe.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity; exploitation requires only authentication of a legitimate HRMS user, so an insider or compromised account can easily abuse the issue. The EPSS score is below 1 %, suggesting low overall likelihood of public exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, once an authenticated user can upload a file as another employee, they could inject malicious content or falsify records, making mitigation a priority. The attack vector is inferred to be the web interface or API where file uploads occur, and the vulnerability does not provide remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Horilla version 1.5.0 or later, which contains the vendor‑supplied fix.
  • Re‑configure upload endpoints to reject any employee_id value that does not match the authenticated user’s ID, ensuring strict access control.
  • Audit and restrict upload permissions in the HRMS role‑based access controls so that only authorized personnel can upload documents.

Generated by OpenCVE AI on April 18, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Horilla
Horilla horilla
Vendors & Products Horilla
Horilla horilla

Thu, 22 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue.
Title Horilla has Improper Access Control Issue that Allows Unauthorized Document Upload on Behalf of Another Employee
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T12:41:56.958Z

Reserved: 2026-01-20T22:30:11.776Z

Link: CVE-2026-24035

cve-icon Vulnrichment

Updated: 2026-01-22T12:41:52.625Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T04:15:59.453

Modified: 2026-01-29T19:02:03.140

Link: CVE-2026-24035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses