Description
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams.
Published: 2026-04-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to attachments
Action: Apply Patch
AI Analysis

Impact

Horilla 1.5.0 contains a broken access control flaw in the helpdesk attachment viewer that allows any authenticated user to change the attachment ID and view attachments belonging to other tickets. The vulnerability, identified as CWE-284 and CWE-639, can expose confidential support files and internal documents, thereby compromising confidentiality and potentially allowing further exploitation if sensitive data is accessed.

Affected Systems

The issue affects the open-source Horilla HRMS, specifically version 1.5.0. Users running this version should be aware that any authenticated account can abuse this flaw to download attachments from unrelated users or teams.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is of moderate to high severity. No EPSS score is available, but the vulnerability requires authentication and is not listed in the CISA KEV catalog, suggesting limited public exploitation to date. The attack vector is likely internal or restricted to organizations with Horilla installed; however, once login credentials are obtained or the system is compromised, an attacker can leverage the flaw to exfiltrate sensitive documents.

Generated by OpenCVE AI on April 22, 2026 at 06:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Horilla release that includes the authorization fix for attachment access.
  • If a patch is not yet available, restrict “view attachment” permissions to the appropriate role(s) or temporarily disable the attachment viewing endpoint.
  • Audit helpdesk attachment logs for abnormal download activity and enforce stricter role-based access control policies to prevent unauthorized access.

Generated by OpenCVE AI on April 22, 2026 at 06:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Horilla
Horilla horilla
Vendors & Products Horilla
Horilla horilla

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams.
Title Horilla: Unauthorized Helpdesk Attachment Access via Attachment ID Manipulation
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:36:38.138Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40867

cve-icon Vulnrichment

Updated: 2026-04-21T19:54:13.906Z

cve-icon NVD

Status : Received

Published: 2026-04-21T19:16:18.293

Modified: 2026-04-21T21:16:43.187

Link: CVE-2026-40867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:52Z

Weaknesses