Description
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload request. This enables unauthorized modification of HR records.
Published: 2026-04-21
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Document Overwrite
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an insecure direct object reference in the employee document upload endpoint of the Horilla HRMS version 1.5.0. Any authenticated user can modify the document ID in the upload request and overwrite, replace, or corrupt another employee’s file, enabling unauthorized changes to HR records. This flaw violates integrity and is an instance of broken access control (CWE‑284) and an authorization bypass (CWE‑639).

Affected Systems

Affects the Horilla open‑source Human Resource Management System, specifically version 1.5.0. No other versions are listed in the advisory.

Risk and Exploitability

With a CVSS score of 8.6 the vulnerability presents high severity. While the EPSS score is not available and the flaw is not listed in KEV, the lack of these metrics does not diminish the threat. An attacker must first be authenticated and possess upload privileges, then can alter the destination document ID to target any employee, resulting in tampering of personnel records and potential compromise of confidentiality, integrity, and contractual obligations. Immediate remediation is recommended to prevent unauthorized document manipulation.

Generated by OpenCVE AI on April 22, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Horilla that corrects the document ID validation or to any released update that removes the insecure direct object reference.
  • If a patch is not yet available, enforce strict validation of document identifiers by checking that the ID belongs to the authenticated employee or that the employee has explicitly granted permission to modify that document.
  • Enable detailed audit logging for document upload operations and regularly review logs for unexpected changes.
  • Restrict user roles that have access to the upload endpoint to only those that truly require document uploads, applying the principle of least privilege to reduce the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Horilla
Horilla horilla
Vendors & Products Horilla
Horilla horilla

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload request. This enables unauthorized modification of HR records.
Title Horilla: Unauthorized Document Overwrite via File Upload Endpoint
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:29:21.663Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40866

cve-icon Vulnrichment

Updated: 2026-04-21T19:29:12.985Z

cve-icon NVD

Status : Received

Published: 2026-04-21T19:16:18.170

Modified: 2026-04-21T20:17:00.093

Link: CVE-2026-40866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:53Z

Weaknesses