CVE-2026-24038
📋 TL;DR
This vulnerability allows attackers to bypass two-factor authentication in Horilla HRMS by omitting the OTP field from authentication requests. When the OTP expires, the server returns None, and if the attacker also sends None (by omitting the field), the flawed equality check passes. All Horilla HRMS installations running version 1.4.0 are affected.
💻 Affected Systems
- Horilla HRMS
📦 What is this software?
Horilla by Horilla
⚠️ Risk & Real-World Impact
Worst Case
Administrative account compromise leading to full system takeover, manipulation of sensitive HR data, payroll tampering, and unauthorized access to employee personal information.
Likely Case
Unauthorized access to user accounts, potential data exfiltration of HR records, and manipulation of employee information.
If Mitigated
Limited impact with proper network segmentation, strong authentication for administrative accounts, and monitoring for suspicious authentication attempts.
🎯 Exploit Status
Exploitation requires valid username/password credentials but bypasses the OTP requirement. Attackers need to know the authentication endpoint structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf
Restart Required: Yes
Instructions:
1. Backup your Horilla installation and database. 2. Download version 1.5.0 from the official GitHub repository. 3. Replace the existing installation with the new version. 4. Restart the Horilla service. 5. Verify the fix by testing OTP authentication.
🔧 Temporary Workarounds
Disable OTP Authentication
allTemporarily disable two-factor authentication until patching is complete.
Modify Horilla configuration to disable OTP-based authentication
Web Application Firewall Rule
allBlock authentication requests missing the OTP field.
Configure WAF to reject POST requests to authentication endpoints without OTP parameter
🧯 If You Can't Patch
- Implement network-level controls to restrict access to Horilla to trusted IP addresses only.
- Enable detailed logging of all authentication attempts and monitor for missing OTP fields in requests.
🔍 How to Verify
Check if Vulnerable:
Check Horilla version via admin interface or configuration files. If version is 1.4.0 and OTP authentication is enabled, the system is vulnerable.Check Version:
Check the version in Horilla's admin dashboard or configuration files.Verify Fix Applied:
After upgrading to 1.5.0, test OTP authentication by attempting to authenticate without providing an OTP. This should fail.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts with missing OTP field
- Successful logins without OTP validation
- Multiple failed OTP attempts followed by successful login
Network Indicators:
- POST requests to authentication endpoints without OTP parameter
- Unusual authentication patterns from single IP addresses
SIEM Query:
source="horilla_logs" AND (event="authentication" AND NOT otp_present="true")