CVE-2026-40866
Received Received - Intake
Insecure Direct Object Reference in Horilla 1.5.0 Allows Document Tampering

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload request. This enables unauthorized modification of HR records.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40866
EUVD
EUVD-2026-24234
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
horilla horilla-hr 1.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40866 is a high-severity insecure direct object reference (IDOR) vulnerability in the Horilla Human Resource Management System (HRMS) version 1.5.0. It exists in the employee document upload endpoint, where any authenticated user can manipulate the numeric document ID in the upload request to overwrite, replace, or corrupt another employee's document.

The vulnerability arises because the server retrieves the document by its ID without verifying if the user owns or is authorized to modify that document. The endpoint only requires the user to be logged in but does not enforce per-object authorization checks.

An attacker can capture a valid upload request and change the document ID to target another employee's document, successfully replacing it with their own uploaded file. This leads to unauthorized modification of HR records.

Compliance Impact

This vulnerability allows unauthorized modification of employee documents, leading to potential tampering with HR records. Such unauthorized access and alteration of personal and sensitive employee data can violate data protection principles required by common standards and regulations like GDPR and HIPAA.

Specifically, the broken object-level authorization and the ability for any authenticated user to overwrite another employee’s documents compromise data integrity and confidentiality, which are core requirements under these regulations.

This could disrupt compliance processes related to data accuracy, integrity, and access control, potentially resulting in regulatory non-compliance and associated legal or financial penalties.

Impact Analysis

This vulnerability can have serious impacts including unauthorized modification of employee documents, which compromises the integrity and confidentiality of HR records.

  • Attackers can overwrite or corrupt other employees' documents, potentially planting misleading or malicious files.
  • It can disrupt critical HR processes such as onboarding, verification, and compliance by tampering with official records.
  • All employees with stored documents are at risk since the vulnerability affects the document upload functionality without proper access controls.
Detection Guidance

This vulnerability can be detected by monitoring and analyzing HTTP requests to the employee document upload endpoint for suspicious activity, such as authenticated users modifying the document ID in the upload URL to access or overwrite documents they do not own.

A practical approach is to capture and inspect multipart upload requests to the endpoint `employee/file-upload/<int:id>` and verify if the document ID parameter is being manipulated.

Commands or tools that can help detect this include:

  • Using a proxy tool like Burp Suite or OWASP ZAP to intercept and modify upload requests to test if document IDs can be changed to unauthorized values.
  • Using network traffic capture tools such as tcpdump or Wireshark to filter HTTP POST requests to the upload endpoint and analyze the URL paths and payloads.
  • Example tcpdump command to capture HTTP POST requests to the vulnerable endpoint (adjust interface and host as needed):
  • tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /employee/file-upload/'
  • Review application logs for upload requests and check if document IDs are being accessed or modified by users other than the document owners.
Mitigation Strategies

Immediate mitigation steps include implementing proper authorization checks on the document upload endpoint to ensure that users can only modify documents they own.

  • Add ownership verification in the upload handler code to confirm that the authenticated user is authorized to access the document identified by the ID before allowing any modification.
  • Restrict the endpoint access beyond just authentication by enforcing per-object access control.
  • If a patch or updated version of horilla-hr is available that fixes this issue, apply it immediately.
  • Monitor and audit document upload activities to detect any unauthorized modifications.
  • Consider temporarily disabling the document upload functionality if immediate code changes or patches cannot be applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40866. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart