CVE-2026-40867
Broken Access Control in Horilla 1.5.0 Allows Attachment Disclosure
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| horilla | horilla_hr | 1.5.0 |
| horilla | human_resource_management_system | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40867 is a broken access control vulnerability in the Horilla Human Resource Management System's helpdesk attachment viewer. It allows any authenticated user to view attachments from other users' helpdesk tickets by simply changing the attachment ID in the URL.
The issue arises because the system fetches attachments based only on the attachment ID without verifying if the requesting user is authorized to access that attachment. This means users can access sensitive files such as internal documents, screenshots, logs, and exported data that belong to other users or teams.
Technically, the vulnerability exists in the route handling attachment viewing, which is protected only by login but lacks proper authorization checks to confirm ticket ownership or permission.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive support files and internal documents across unrelated users or teams within an organization.
An attacker with any authenticated user account can exploit this flaw to access confidential attachments from other users' helpdesk tickets, potentially exposing private information such as internal communications, logs, screenshots, and exported data.
Such unauthorized access risks data leakage between departments or tenants in shared environments, which can harm organizational security and privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access attachments from helpdesk tickets that belong to other users by modifying the attachment ID in the URL while authenticated.
A practical method is to intercept a legitimate attachment request (e.g., /helpdesk/view-ticket-document/1) using a web proxy tool like Burp Suite, then modify the numeric attachment ID parameter to another value (e.g., /helpdesk/view-ticket-document/2) to see if the server returns the attachment without proper authorization.
- Use Burp Suite or a similar HTTP proxy to intercept and modify requests.
- Example command with curl to test access to different attachment IDs (replace URL and session cookie accordingly):
- curl -b "session=your_auth_cookie" https://your-horilla-instance/helpdesk/view-ticket-document/2
If attachments from other users' tickets are accessible by changing the doc_id parameter, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the attachment viewer endpoint by implementing proper authorization checks to verify that the requesting user is authorized to access the ticket associated with the attachment.
Until a patch is available, consider the following actions:
- Limit access to the helpdesk attachment viewer to trusted users only.
- Monitor and audit access logs for suspicious activity involving attachment ID manipulation.
- If possible, disable or restrict the attachment viewer functionality temporarily.
Ultimately, update the application code to include authorization checks that confirm the user is the ticket owner, assignee, or helpdesk admin before serving attachments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The broken access control vulnerability in Horilla's helpdesk attachment viewer allows unauthorized access to sensitive support files and internal documents across unrelated users or teams. This unauthorized disclosure of confidential information can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data.
Specifically, the vulnerability enables any authenticated user to view attachments from other users' helpdesk tickets by manipulating the attachment ID, resulting in potential exposure of personal data or protected health information. Such exposure undermines confidentiality requirements mandated by these standards.
Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations that mandate proper access controls and protection of sensitive information.