Broken Access Control in Horilla Human Resource Management System
CVE-2026-40867

7.1HIGH

Key Information:

Vendor: Horilla-opensource
Status: Horilla
Vendor: CVE Published:; 21 April 2026

🔔 Create Horilla-opensource Vulnerability Alert

What is CVE-2026-40867?

The Horilla Human Resource Management System (HRMS) version 1.5.0 is susceptible to a broken access control vulnerability that permits authenticated users to access and view attachments from other support tickets. By simply altering the attachment ID, a user can gain unauthorized visibility into potentially sensitive support files and internal documents, thereby compromising the confidentiality of information across different users or teams.

Affected Version(s)

horilla 1.5.0

References

https://github.com/horilla/horilla-hr/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40867 Data

JSON