CVE-2026-24039 MEDIUM

CVE-2026-24039: Horilla's Improper Access Control Allows Employees to Auto-Approve Documents

Vendor Horilla-Opensource

Product horilla

Weakness CWE-284

Published January 22, 2026

Last update January 22, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0.

Key dates

02Disclosure timeline

January 22, 2026 CVE published

January 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24039

Related vulnerabilities

CVE-2026-24039: Horilla's Improper Access Control Allows Employees to Auto-Approve Documents

01Description

02Disclosure timeline

03References

04Related CVE