Platform
php
Component
horilla-hr
Fixed in
1.5.1
CVE-2026-40865 describes an insecure direct object reference (IDOR) vulnerability within the Horilla HRMS, a free and open-source Human Resource Management System. This flaw allows authenticated users to bypass access controls and view documents belonging to other employees, potentially exposing highly sensitive information. The vulnerability affects versions 1.5.0 through 1.5.0 of Horilla HRMS, and a fix is pending release from the vendor.
The primary impact of CVE-2026-40865 is the unauthorized disclosure of sensitive employee data. An attacker, already authenticated within the Horilla HRMS, can manipulate the document ID parameter in the employee document viewer to access files belonging to other users. This could include identity documents (passports, driver's licenses), employment contracts, performance reviews, salary information, certificates, and other confidential records. The blast radius extends to all employees within the organization using Horilla HRMS, as any authenticated user could potentially access the data of others. Lateral movement is not directly enabled by this vulnerability, but the compromised data could be used in subsequent attacks targeting individual employees. The potential for reputational damage and legal repercussions due to the exposure of sensitive personal information is significant.
CVE-2026-40865 was published on 2026-04-21. The vulnerability's severity is pending evaluation. No public proof-of-concept (POC) code has been identified at the time of writing. There are no indications of active exploitation campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS, suggesting a low probability of near-term exploitation, but this could change as the vulnerability becomes more widely known. Refer to the NVD (National Vulnerability Database) for updates and further information.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
Due to the nature of the IDOR vulnerability, immediate mitigation options are limited until a patched version of Horilla HRMS is released. As a temporary workaround, implement strict access controls within the application to limit the visibility of employee documents. This could involve role-based access control (RBAC) where users only have access to documents relevant to their specific roles. Consider implementing input validation on the document ID parameter to prevent manipulation. Web Application Firewalls (WAFs) can be configured with rules to detect and block requests with suspicious document ID patterns. Regularly review user permissions and access logs to identify any unauthorized access attempts. After a patched version is released, upgrade Horilla HRMS to the latest version as soon as possible. After upgrade, confirm by attempting to access another employee's document with a modified document ID – access should be denied.
Update to a patched version of Horilla HRMS. The Insecure Direct Object Reference (IDOR) vulnerability allows authenticated users to access documents from other employees. The update will resolve this issue by preventing unauthorized access to sensitive data.
Vulnerability analysis and critical alerts directly to your inbox.
It's an IDOR vulnerability in Horilla HRMS versions 1.5.0-1.5.0, allowing authenticated users to access other employees' documents.
If you are using Horilla HRMS version 1.5.0, you are potentially affected by this vulnerability. Assess your access controls and monitor for suspicious activity.
Upgrade to a patched version of Horilla HRMS when available. Until then, implement strict access controls and input validation as temporary workarounds.
There are currently no indications of active exploitation campaigns targeting this vulnerability, but vigilance is still required.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-40865 for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.