CVE-2026-24038 affects Horilla, an open-source Human Resource Management System, specifically versions from 1.4.0 up to but not including 1.5.0. The vulnerability arises from improper authentication due to flawed OTP handling logic. When an OTP expires, the server returns a None value. If an attacker crafts a POST request omitting the OTP field, the user-supplied OTP is also interpreted as None. The equality check comparing user_otp == otp thus evaluates to true, bypassing the two-factor authentication mechanism entirely. This bypass allows attackers to authenticate without providing a valid OTP, effectively negating the second factor of authentication. The vulnerability is particularly critical when targeting administrative accounts, as it can lead to unauthorized access to sensitive HR data, manipulation of employee records, and potential lateral movement within the system. The CVSS 3.1 base score is 8.1, reflecting high severity due to network attack vector, low attack complexity, and no user interaction required. The vulnerability does not affect availability but severely impacts confidentiality and integrity. No known exploits have been reported in the wild as of the publication date. The issue was resolved in Horilla version 1.5.0 by correcting the OTP comparison logic to properly handle expired OTPs and prevent bypass. Organizations running affected versions should prioritize upgrading to mitigate risk.

For European organizations, the impact of this vulnerability is significant. HRMS platforms like Horilla often store highly sensitive personal data, including employee identities, payroll information, and performance records. Unauthorized access through this vulnerability could lead to data breaches violating GDPR and other privacy regulations, resulting in legal penalties and reputational damage. Attackers gaining administrative access could manipulate employee records, disrupt HR operations, or use the compromised system as a foothold for broader network intrusion. The lack of requirement for user interaction and the ability to exploit remotely increase the risk of widespread exploitation. Organizations in sectors with stringent compliance requirements, such as finance, healthcare, and government, face heightened consequences. The vulnerability undermines trust in multi-factor authentication, a critical security control, potentially exposing organizations to further attacks if not remediated promptly.

Immediate upgrade to Horilla version 1.5.0 or later is the primary mitigation step to address the OTP bypass vulnerability. Organizations should audit authentication logs for suspicious login attempts where the OTP field was missing or null. Implement additional monitoring and alerting on administrative account access patterns. Where possible, enforce IP whitelisting or VPN access for administrative interfaces to reduce exposure. Consider integrating external multi-factor authentication solutions that do not rely solely on the vulnerable OTP logic. Conduct a thorough review of user privileges and remove unnecessary administrative rights. Educate HR and IT staff about the vulnerability and the importance of timely patching. If upgrading is temporarily not feasible, implement compensating controls such as network segmentation and enhanced anomaly detection to limit potential exploitation.