CVE-2026-24039

Name of the Vulnerable Software and Affected Versions Horilla versions prior to 1.5.0

Description Horilla, a Human Resource Management System (HRMS), contains an Improper Access Control issue. A low-privileged employee can self-approve documents they have uploaded, despite the document-approval user interface being intended for administrator or high-privilege roles only. This is due to an insufficient server-side authorization check on the approval endpoint. Exploitation allows users with employee-level permissions to alter application state reserved for administrators, potentially undermining the integrity of HR processes. The vulnerable endpoint is the approval endpoint. The vulnerable action involves modifying the approval status of a document using the user id associated with the employee.

Recommendations Update to version 1.5.0 or later.