CVE-2026-40866
Insecure Direct Object Reference in Horilla 1.5.0 Allows Document Tampering
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| horilla | horilla-hr | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40866 is a high-severity insecure direct object reference (IDOR) vulnerability in the Horilla Human Resource Management System (HRMS) version 1.5.0. It exists in the employee document upload endpoint, where any authenticated user can manipulate the numeric document ID in the upload request to overwrite, replace, or corrupt another employee's document.
The vulnerability arises because the server retrieves the document by its ID without verifying if the user owns or is authorized to modify that document. The endpoint only requires the user to be logged in but does not enforce per-object authorization checks.
An attacker can capture a valid upload request and change the document ID to target another employee's document, successfully replacing it with their own uploaded file. This leads to unauthorized modification of HR records.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized modification of employee documents, which compromises the integrity and confidentiality of HR records.
- Attackers can overwrite or corrupt other employees' documents, potentially planting misleading or malicious files.
- It can disrupt critical HR processes such as onboarding, verification, and compliance by tampering with official records.
- All employees with stored documents are at risk since the vulnerability affects the document upload functionality without proper access controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing HTTP requests to the employee document upload endpoint for suspicious activity, such as authenticated users modifying the document ID in the upload URL to access or overwrite documents they do not own.
A practical approach is to capture and inspect multipart upload requests to the endpoint `employee/file-upload/<int:id>` and verify if the document ID parameter is being manipulated.
Commands or tools that can help detect this include:
- Using a proxy tool like Burp Suite or OWASP ZAP to intercept and modify upload requests to test if document IDs can be changed to unauthorized values.
- Using network traffic capture tools such as tcpdump or Wireshark to filter HTTP POST requests to the upload endpoint and analyze the URL paths and payloads.
- Example tcpdump command to capture HTTP POST requests to the vulnerable endpoint (adjust interface and host as needed):
- tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /employee/file-upload/'
- Review application logs for upload requests and check if document IDs are being accessed or modified by users other than the document owners.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper authorization checks on the document upload endpoint to ensure that users can only modify documents they own.
- Add ownership verification in the upload handler code to confirm that the authenticated user is authorized to access the document identified by the ID before allowing any modification.
- Restrict the endpoint access beyond just authentication by enforcing per-object access control.
- If a patch or updated version of horilla-hr is available that fixes this issue, apply it immediately.
- Monitor and audit document upload activities to detect any unauthorized modifications.
- Consider temporarily disabling the document upload functionality if immediate code changes or patches cannot be applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized modification of employee documents, leading to potential tampering with HR records. Such unauthorized access and alteration of personal and sensitive employee data can violate data protection principles required by common standards and regulations like GDPR and HIPAA.
Specifically, the broken object-level authorization and the ability for any authenticated user to overwrite another employeeβs documents compromise data integrity and confidentiality, which are core requirements under these regulations.
This could disrupt compliance processes related to data accuracy, integrity, and access control, potentially resulting in regulatory non-compliance and associated legal or financial penalties.