Executive Summary

CVE-2026-40865 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in the Horilla Human Resource Management System (HRMS), specifically in the employee document viewer.

The vulnerability occurs because the system allows any authenticated user to access documents belonging to other employees by simply changing the document ID in the request URL to the employee document viewer endpoint `/employee/view-file/<int:id>`.

The root cause is that the system retrieves documents without verifying if the requesting user owns or has permission to access the document. The endpoint is only protected by login requirements but lacks object-level authorization checks.

As a result, an attacker can log in as any employee, intercept a request to view their own document, modify the document ID to another employee's document, and retrieve sensitive documents such as identity documents, contracts, certificates, and other private employee records.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive HR files, compromising the confidentiality of employee data.

• Exposure of identity documents
• Exposure of employment contracts
• Exposure of certificates and other private employee records

Such exposure can result in privacy violations, potential identity theft, and damage to employee trust.

Useful 0 Not Useful 0

Compliance Impact

The unauthorized access and disclosure of sensitive employee documents due to this vulnerability can lead to violations of data protection regulations such as GDPR and HIPAA.

These regulations require strict controls on access to personal and sensitive information to protect privacy and ensure confidentiality.

Failure to implement proper access controls, as seen in this vulnerability, can result in non-compliance, legal penalties, and reputational damage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access employee documents with different document IDs while authenticated as a normal user. By intercepting a legitimate request to view a document and modifying the document ID in the URL, you can check if unauthorized documents are accessible.

For example, using tools like Burp Suite or curl, you can send GET requests to the endpoint `/employee/view-file/<id>` with various document IDs to see if documents belonging to other employees are returned.

• Use curl to test access to different document IDs: `curl -b cookies.txt https://your-hrms-domain/employee/view-file/2` then change the ID to `5` or others.
• Intercept requests with Burp Suite, modify the numeric document ID in the GET request URL, and observe if documents not belonging to the authenticated user are returned.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves implementing proper object-level authorization checks in the document retrieval logic to ensure users can only access their own documents.

Specifically, the server should verify that the authenticated user owns or has permission to access the requested document before returning it. If the user is unauthorized, the server should respond with HTTP 403 Forbidden or 404 Not Found.

Until a patch is available, restrict access to the `/employee/view-file/<id>` endpoint to only authorized users and consider disabling or limiting document viewing functionality.

Monitor access logs for suspicious activity such as repeated requests with varying document IDs from the same user.

Useful 0 Not Useful 0