CVE-2026-24039
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| horilla | horilla | 1.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Access Control issue in Horilla HRMS version 1.4.0 that allows low-privileged employees to self-approve documents they have uploaded. Normally, only administrators or high-privilege users should be able to approve documents. However, due to insufficient server-side authorization checks on the document approval endpoint, standard employees can change the approval status of their own documents from "requested" to "approved." This compromises the integrity of HR processes such as credential and certification verification. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows employees with only basic permissions to alter application states reserved for administrators, such as approving documents without proper authorization. This undermines the integrity of HR processes, potentially allowing submission and acceptance of unvetted or fraudulent documents, which can affect hiring, credential verification, and compliance within the organization. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and intercepting HTTP requests to the document approval endpoint in Horilla HRMS version 1.4.0. Specifically, look for requests where an employee-level user attempts to change the approval status of their own uploaded documents. Using tools like a web proxy (e.g., Burp Suite) or command-line utilities (e.g., curl) to replay or modify approval requests can help identify if the server improperly authorizes such actions. For example, a curl command could be used to send an approval request with employee credentials and observe if the status changes without administrator privileges. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Horilla HRMS to version 1.5.0 or later, where this improper access control vulnerability is fixed. Until the upgrade is applied, restrict employee access to the document approval functionality and monitor for unauthorized approval actions. Additionally, consider implementing network-level controls or application firewalls to block unauthorized modification attempts to the approval endpoint. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability undermines the integrity of HR processes by allowing low-privileged employees to self-approve documents such as credentials and certifications without proper authorization. This could lead to submission and acceptance of unvetted documents, potentially impacting compliance with standards and regulations that require strict control and verification of employee data and documentation, such as GDPR and HIPAA. However, specific impacts on compliance are not detailed in the provided resources. [1]