Horilla is an open-source Human Resource Management System widely used for managing employee data and documents. The vulnerability identified as CVE-2026-24035 is categorized under CWE-284 (Improper Access Control) and affects Horilla versions from 1.4.0 up to but not including 1.5.0. The core issue arises from insufficient server-side validation of the employee_id parameter during document upload operations. Specifically, any authenticated user can manipulate this parameter to upload documents on behalf of other employees without proper authorization checks. This bypasses intended access controls, allowing unauthorized modification of employee records by injecting or associating files with other employees’ profiles. The vulnerability does not require elevated privileges beyond standard authentication, nor does it require user interaction beyond logging in. The impact is primarily on data integrity, as unauthorized documents could be uploaded, potentially misleading HR processes or causing compliance issues. Confidentiality and availability are not directly affected, and no remote code execution or privilege escalation is involved. The issue is resolved in Horilla version 1.5.0, which implements proper server-side validation to ensure that employees can only upload documents to their own profiles. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the limited scope and impact. No known exploits have been reported in the wild to date, but the vulnerability poses a risk in environments where multiple employees have authenticated access to the HRMS.

For European organizations, this vulnerability could lead to unauthorized document uploads within HR systems, potentially compromising the integrity of employee records. This may result in inaccurate personnel files, compliance violations with data governance policies such as GDPR, and internal trust issues. While confidentiality is not directly impacted, the presence of unauthorized documents could mislead HR decisions or audits. The vulnerability could also be exploited for social engineering or internal sabotage by uploading misleading or malicious documents. Organizations with large workforces and decentralized HR management are at higher risk. The impact is more significant in sectors with strict regulatory compliance requirements, such as finance, healthcare, and government agencies. Since the vulnerability requires only authenticated access, insider threats or compromised employee credentials increase the risk. The lack of known exploits reduces immediate urgency but does not eliminate the potential for future abuse.

The primary mitigation is to upgrade Horilla installations to version 1.5.0 or later, where the vulnerability is fixed with proper server-side validation of the employee_id parameter. Until upgrade is possible, organizations should implement strict access controls limiting document upload permissions to authorized personnel only. Monitoring and logging of document upload activities should be enhanced to detect anomalous behavior, such as uploads associated with employee IDs different from the authenticated user. Conduct regular audits of employee documents to identify unauthorized uploads. Employ multi-factor authentication to reduce the risk of compromised credentials being used to exploit this vulnerability. Additionally, consider implementing application-layer firewalls or reverse proxies with rules to validate request parameters where feasible. Employee training on security best practices and awareness of insider threats can also reduce risk. Finally, coordinate with the Horilla open-source community to stay informed about patches and security advisories.