Platform
php
Component
horilla
Fixed in
1.5.1
CVE-2026-40867 describes a broken access control vulnerability discovered in Horilla HRMS, a free and open-source HRMS. This flaw allows authenticated users to bypass access restrictions and view attachments associated with other users' support tickets. The vulnerability affects versions 1.5.0 through 1.5.0, and a fix is currently being developed.
The primary impact of CVE-2026-40867 stems from the unauthorized exposure of sensitive data. Attackers, once authenticated within the Horilla HRMS system, can manipulate the attachment ID parameter to access files belonging to other users or teams. This could include confidential support documents, internal communications, or potentially even personally identifiable information (PII) stored within the attachments. The blast radius extends to any user with access to the helpdesk functionality, as an attacker could potentially gain access to a wide range of sensitive files. This vulnerability highlights a critical failure in access control mechanisms, allowing for lateral movement and data exfiltration.
CVE-2026-40867 was publicly disclosed on 2026-04-21. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's simplicity suggests that a POC could be developed relatively easily. It is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns. The vulnerability's impact is primarily related to data exposure, making it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The immediate mitigation for CVE-2026-40867 is to upgrade to a patched version of Horilla HRMS as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Restricting access to the helpdesk attachment viewer based on user roles and permissions can limit the potential impact. Implementing strict input validation on the attachment ID parameter can also help prevent unauthorized access. Regularly review user access rights and audit logs for any suspicious activity. After upgrading, confirm the fix by attempting to access attachments from other users' tickets with a test account.
Update Horilla to a patched version that addresses the broken access control vulnerability. Check the release notes or GitHub repository for specific upgrade instructions. Ensure that only authorized users have access to helpdesk attachments.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40867 is a broken access control vulnerability in Horilla HRMS versions 1.5.0–1.5.0 that allows authenticated users to view attachments from other tickets by manipulating the attachment ID.
If you are running Horilla HRMS version 1.5.0, you are potentially affected by this vulnerability. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of Horilla HRMS. Until a patch is available, implement temporary workarounds like restricting access and validating input.
There are currently no reports of active exploitation campaigns for CVE-2026-40867, but the vulnerability's simplicity suggests it could be targeted.
Please refer to the official Horilla HRMS website and security advisories for updates and the latest information regarding CVE-2026-40867.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.