Description
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records.
Published: 2026-04-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch
AI Analysis

Impact

An insecure direct object reference in Horilla’s employee document viewer allows any authenticated user to change a numeric document identifier in the URL and obtain access to other employees’ confidential files, including identity documents, contracts, and certificates. This weakness is aligned with CWE-284, illustrating erroneous permission assignment, and CWE-639, reflecting authorization bypass through user‑controlled input. The exposed data could lead to identity theft, privacy violations, and compromise of sensitive corporate records if accessed by malicious actors.

Affected Systems

The affected product is the open‑source Human Resource Management System Horilla, version 1.5.0. Users running this exact version of the software are vulnerable; all newer releases that have applied the fix are not affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. Because the vulnerability requires authentication, an attacker must possess valid user credentials or gain access through other means before exploitation can occur. Current EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nonetheless, any organization that stores sensitive employee records should consider the risk of internal misuse or credential compromise.

Generated by OpenCVE AI on April 22, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Horilla release that contains the IDR fix or apply the vendor patch if available.
  • Restrict access to the document viewer to users with HR or administrative roles, ensuring that only authorized personnel can request document ids.
  • Implement server‑side validation that checks the requesting user’s permissions against the employee record before returning the file.

Generated by OpenCVE AI on April 22, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Horilla
Horilla horilla
Vendors & Products Horilla
Horilla horilla

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records.
Title Horilla: Insecure Direct Object Reference at `/employee/view-file/<int:id>
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T18:45:50.143Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40865

cve-icon Vulnrichment

Updated: 2026-04-21T18:45:35.731Z

cve-icon NVD

Status : Received

Published: 2026-04-21T19:16:18.017

Modified: 2026-04-21T19:16:18.017

Link: CVE-2026-40865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:54Z

Weaknesses