CVE-2026-24035 identifies an improper access control vulnerability (CWE-284) in the Horilla open-source Human Resource Management System (HRMS), specifically in versions from 1.4.0 up to but not including 1.5.0. The vulnerability arises from insufficient server-side validation of the employee_id parameter during document upload operations. Authenticated employees can exploit this flaw to upload documents on behalf of other employees without proper authorization, effectively bypassing intended access controls. This can lead to unauthorized modification or insertion of documents into another employee's HR records, potentially affecting data integrity. The vulnerability does not allow access to confidential information nor does it impact system availability. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges (authenticated user), no user interaction, and impacts integrity only. The issue is resolved in Horilla version 1.5.0, which implements proper validation to ensure that employees can only upload documents for themselves or authorized personnel. No known exploits are reported in the wild as of the publication date. The vulnerability highlights the critical need for robust authorization checks in HRMS platforms, especially those handling sensitive employee data and documents.

For European organizations, this vulnerability poses a moderate risk primarily to data integrity within HR systems. Unauthorized document uploads could lead to inaccurate or fraudulent employee records, which may affect payroll, compliance, or internal investigations. While confidentiality and availability are not directly impacted, the integrity breach could undermine trust in HR data and complicate audits or regulatory compliance, particularly under GDPR where data accuracy is mandated. Organizations relying on Horilla HRMS versions 1.4.0 to 1.4.x are at risk if they have multiple authenticated users with document upload privileges. Attackers with legitimate credentials can misuse this flaw to insert misleading or malicious documents, potentially facilitating insider threats or social engineering attacks. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent future abuse. The impact is more pronounced in larger organizations with complex HR workflows and strict regulatory requirements common in Europe.

1. Upgrade Horilla HRMS to version 1.5.0 or later immediately to apply the official fix that enforces proper access control on document uploads. 2. Until patching is complete, restrict document upload permissions to only trusted HR personnel or administrators, minimizing the number of users who can exploit the vulnerability. 3. Implement server-side validation and authorization checks to verify that the employee_id parameter matches the authenticated user's identity or authorized scope. 4. Conduct thorough audits of uploaded documents to detect any unauthorized or suspicious files, using automated tools where possible. 5. Monitor HRMS logs for unusual upload activity, such as employees uploading documents on behalf of others, and investigate anomalies promptly. 6. Educate HR staff and employees about the risks of improper document handling and encourage reporting of suspicious behavior. 7. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block anomalous requests targeting the employee_id parameter. 8. Review and tighten overall access control policies within the HRMS and related systems to enforce the principle of least privilege.