CVE-2026-24036
📋 TL;DR
This vulnerability in Horilla HRMS allows unauthenticated attackers to view unpublished job postings through an exposed API endpoint. Organizations using Horilla versions 1.4.0 and above are affected, potentially leaking sensitive hiring information and allowing unauthorized access to application workflows.
💻 Affected Systems
- Horilla HRMS
📦 What is this software?
Horilla by Horilla
⚠️ Risk & Real-World Impact
Worst Case
Competitors or malicious actors access confidential hiring plans, internal restructuring details, and sensitive job descriptions, potentially leading to business intelligence theft and disruption of recruitment processes.
Likely Case
Unauthorized individuals discover unpublished job roles, apply to positions not meant for public viewing, and cause confusion among legitimate candidates while exposing internal hiring strategies.
If Mitigated
With proper authentication controls, only authorized HR personnel can access draft job postings, maintaining confidentiality of hiring processes.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to the vulnerable endpoint. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7
Restart Required: Yes
Instructions:
1. Backup your Horilla database and configuration. 2. Download Horilla version 1.5.0 from the official repository. 3. Replace existing installation files with the new version. 4. Restart the Horilla application server. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Server Access Control
allBlock unauthenticated access to the vulnerable endpoint using web server configuration
# For Apache: add to .htaccess or virtual host config
<Location "/recruitment/recruitment-details/">
Require valid-user
</Location>
# For Nginx: add to server block
location /recruitment/recruitment-details/ {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
Firewall Rule
linuxBlock external access to the vulnerable endpoint using network firewall rules
# Example iptables rule to block external access
sudo iptables -A INPUT -p tcp --dport 80 -m string --string "/recruitment/recruitment-details/" --algo bm -j DROP
# For Windows Firewall: Create inbound rule blocking traffic to port 80/443 with URL pattern
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the HRMS application from external networks
- Deploy a Web Application Firewall (WAF) with rules to block unauthenticated access to recruitment endpoints
🔍 How to Verify
Check if Vulnerable:
Send an unauthenticated HTTP GET request to http://[horilla-host]/recruitment/recruitment-details/[any-id]/ and check if draft job posting data is returned.Check Version:
Check the Horilla admin panel or inspect the application's version file. For command line: grep -r "version" /path/to/horilla/ | grep -i "1.4"Verify Fix Applied:
After patching, attempt the same unauthenticated request. It should return an authentication error or 404 instead of job posting data.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated GET requests to /recruitment/recruitment-details/ endpoints
- Access logs showing successful 200 responses to recruitment endpoints without authentication headers
Network Indicators:
- Unusual traffic patterns to recruitment endpoints from external IPs
- HTTP GET requests to sequential recruitment IDs without authentication
SIEM Query:
source="horilla_access.log" AND uri="/recruitment/recruitment-details/*" AND NOT (user!="-" OR auth!="-") AND response="200"