CVE-2026-24039

CVE-2026-24039 is a medium-severity vulnerability in Horilla with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-284.

Key facts

Description

Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0.

Frequently asked questions

What is CVE-2026-24039?
Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0.
How severe is CVE-2026-24039?
CVE-2026-24039 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2026-24039 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (16th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-24039?
CVE-2026-24039 affects Horilla. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-24039?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-24039 have an EU (EUVD) identifier?
Yes. CVE-2026-24039 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4220.
When was CVE-2026-24039 published?
CVE-2026-24039 was published on 2026-01-22 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Horilla

All CVEs affecting Horilla →

Other CWE-284 (Improper Access Control) vulnerabilities

Browse all CWE-284 (Improper Access Control) vulnerabilities →