A flaw in the OTP handling logic of Horilla makes the equality check between the user‑supplied OTP and the stored OTP perform a comparison with a None value when an OTP has expired. If an attacker omits the OTP field in a POST request, the request OTP is also None and the comparison succeeds, allowing an authenticated session without a valid code. This flaw permits a user to bypass the two‑factor authentication entirely, potentially granting full access to the system, including administrator accounts. The compromised account can then retrieve sensitive HR data, modify employee records, and execute additional actions across the platform, thereby affecting confidentiality, integrity, and availability.

The issue exists in Horilla HRMS version 1.4.0, identified by the CPE string cpe:2.3:a:horilla:horilla:1.4.0. The vendor, Horilla Open Source, has released a patch in version 1.5.0 that resolves the vulnerability.

The vulnerability carries a CVSS score of 8.1, indicating high severity. The EPSS score is below 1%, implying a low overall exploitation probability at the current time, and the vulnerability is not listed in CISA’s KEV catalog. The attack is likely remote, requiring an attacker to submit a crafted POST request to the authentication endpoint. Successful exploitation permits an attacker to authenticate and gain the same permissions as the targeted account, especially if the account is an administrator. While the exploitation probability is low, the potential impact on sensitive HR information and system integrity warrants prompt remediation.