Horilla is an open-source Human Resource Management System widely used for managing recruitment and HR workflows. In versions 1.4.0 through 1.4.x, a critical endpoint (/recruitment/recruitment-details//) improperly exposes unpublished job postings without requiring any authentication. This endpoint returns sensitive draft information including job titles, descriptions, and application links for roles not yet published internally or externally. The root cause is an improper access control (CWE-284) where the system fails to restrict access to draft recruitment data to authorized users only. Because no authentication or user interaction is required, any remote attacker or unauthenticated user can retrieve this information simply by querying the endpoint. Although the vulnerability does not allow modification or deletion of data, the confidentiality of internal hiring plans is compromised. This could lead to competitive intelligence leaks, internal HR process exposure, and confusion among job candidates who might access incomplete or premature job postings. The vulnerability was publicly disclosed and assigned CVE-2026-24036 with a CVSS v3.1 base score of 5.3 (medium severity), reflecting its network attack vector, no privileges required, and limited confidentiality impact. The vendor addressed the issue in horilla version 1.5.0 by enforcing proper authentication and authorization checks on the recruitment details endpoint.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive internal HR information, including unpublished job openings and recruitment strategies. Such leaks can damage organizational reputation, provide competitors with insight into hiring plans, and cause confusion or mistrust among prospective candidates who might access incomplete job postings. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach can have indirect operational and strategic impacts. Organizations in highly competitive sectors or those with sensitive hiring needs (e.g., government, defense, finance) are particularly at risk. Additionally, GDPR considerations apply since unauthorized exposure of internal HR data could be considered a personal data breach if candidate or employee information is involved, potentially leading to regulatory scrutiny and fines.

The primary mitigation is to upgrade horilla to version 1.5.0 or later, where the access control flaw has been fixed. Until upgrade is possible, organizations should implement network-level access restrictions to the /recruitment/recruitment-details// endpoint, such as IP whitelisting or VPN-only access. Additionally, web application firewalls (WAFs) can be configured to block unauthenticated requests targeting this endpoint. Conduct a thorough audit of all HRMS endpoints to ensure no other sensitive data is exposed without authentication. Organizations should also review internal policies on publishing job postings and limit draft data exposure. Monitoring and alerting on unusual access patterns to recruitment endpoints can help detect exploitation attempts. Finally, communicate with HR and recruitment teams about the risk and ensure they understand the importance of controlling access to unpublished job data.