Insecure Direct Object Reference in Horilla HRMS Affects Sensitive Employee Documents
CVE-2026-40865

7.1HIGH

Key Information:

Vendor: Horilla-opensource
Status: Horilla
Vendor: CVE Published:; 21 April 2026

🔔 Create Horilla-opensource Vulnerability Alert

What is CVE-2026-40865?

Horilla HRMS version 1.5.0 is susceptible to an insecure direct object reference vulnerability in the employee document viewer. This flaw enables any authenticated user to retrieve uploaded documents from other employees by simply modifying the document ID in their request. As a result, sensitive HR files—including identity documents, employment contracts, and private certificates—could be exposed, creating significant privacy risks for individuals within the organization.

Affected Version(s)

horilla 1.5.0

References

https://github.com/horilla/horilla-hr/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40865 Data

JSON