CVE-2026-24035
📋 TL;DR
This vulnerability allows any authenticated employee in Horilla HRMS to upload documents on behalf of any other employee without proper authorization. It affects organizations using Horilla HR Software versions 1.4.0 through 1.4.x. The issue stems from insufficient server-side validation of employee_id parameters during file upload operations.
💻 Affected Systems
- Horilla HR Software
📦 What is this software?
Horilla by Horilla
⚠️ Risk & Real-World Impact
Worst Case
Malicious employees could upload malicious files, forge documents, or plant evidence in other employees' records, potentially leading to HR disputes, compliance violations, or legal issues.
Likely Case
Employees could upload inappropriate or misleading documents to colleagues' records, causing confusion, HR investigations, or minor data integrity issues.
If Mitigated
With proper access controls, only authorized personnel can upload documents to specific employee records, maintaining data integrity and compliance.
🎯 Exploit Status
Exploitation requires authenticated employee access and involves manipulating the employee_id parameter during document uploads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3
Restart Required: Yes
Instructions:
1. Backup your Horilla database and application files. 2. Download version 1.5.0 from the official GitHub releases. 3. Replace existing installation files with the new version. 4. Run any database migrations if required. 5. Restart the application server.
🔧 Temporary Workarounds
Implement server-side validation middleware
allAdd custom server-side validation to ensure employee_id matches the authenticated user's permissions before processing uploads.
# Requires modifying Horilla source code to add validation logic in upload handlers
Restrict upload permissions
allTemporarily limit document upload functionality to HR administrators only until patching is complete.
# Modify user role permissions in Horilla to disable uploads for regular employees
🧯 If You Can't Patch
- Implement network segmentation to isolate the HRMS system from regular employee networks, limiting access to authorized personnel only.
- Enable detailed audit logging for all document upload activities and implement regular log reviews to detect unauthorized upload attempts.
🔍 How to Verify
Check if Vulnerable:
Check the Horilla version in the application settings or admin panel. If version is between 1.4.0 and 1.4.x, the system is vulnerable.Check Version:
Check the version in Horilla admin panel or examine the application's version file if accessible.Verify Fix Applied:
After upgrading to 1.5.0, test document upload functionality with different employee accounts to ensure they can only upload to their own records.📡 Detection & Monitoring
Log Indicators:
- Unusual document upload patterns
- Uploads from employee accounts targeting other employee IDs
- Failed authorization attempts for document uploads
Network Indicators:
- HTTP POST requests to document upload endpoints with mismatched employee_id parameters
SIEM Query:
source="horilla_logs" AND (event="document_upload" AND user_id != target_employee_id)