Bypass in OTP Handling of Horilla Human Resource Management System

CVE-2026-24038

What is CVE-2026-24038?

Horilla HRMS, an open-source Human Resource Management System, contains a security flaw in its one-time password (OTP) verification logic within version 1.4.0. The vulnerability arises from a flawed equality check that can be exploited by attackers. When an OTP expires, the server's response is None. If an attacker omits the otp field from their POST request, the user-supplied OTP also resolves to None, allowing the invalid comparison user_otp == otp to succeed. This weakness permits attackers to circumvent two-factor authentication entirely, posing significant risks when targeting administrative accounts. Successful exploitation can lead to the compromise of sensitive HR data, unauthorized manipulation of employee records, and potential system-wide abuse. A patch is available in version 1.5.0, which resolves this critical security issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References