Horilla is an open-source Human Resource Management System (HRMS) used to manage employee data and HR workflows. In versions 1.4.0 through 1.4.x, a critical flaw exists in the access control mechanism governing document approval. The document approval user interface is designed to be accessible only by administrators or users with elevated privileges. However, the server-side authorization logic on the approval endpoint fails to properly verify the user's role, allowing any authenticated employee to approve documents they have uploaded themselves. This improper access control (CWE-284) enables low-privileged users to alter application state reserved for administrators, effectively bypassing HR governance controls. The impact includes the potential acceptance of fraudulent or unverified documents such as credentials or certifications, which can compromise HR decision-making and compliance. The vulnerability does not affect confidentiality or availability but impacts integrity. Exploitation requires only low privileges and no user interaction, making it relatively easy to exploit within affected environments. The vulnerability was publicly disclosed on January 22, 2026, with no known exploits in the wild. The vendor addressed the issue in Horilla version 1.5.0 by implementing proper server-side authorization checks to restrict document approval actions to authorized roles only.

For European organizations using Horilla HRMS versions 1.4.0 to 1.4.x, this vulnerability poses a significant risk to the integrity of HR processes. Attackers with employee-level access can self-approve documents, potentially allowing fraudulent credentials, certifications, or other critical HR documents to be accepted without proper vetting. This can lead to regulatory compliance issues, especially under strict European data protection and employment laws, and may result in hiring unqualified personnel or internal fraud. While confidentiality and availability are not directly impacted, the trustworthiness of HR data and workflows is compromised, which can have downstream effects on organizational security and compliance. The ease of exploitation and the lack of required user interaction increase the likelihood of abuse if the vulnerability is not patched. Organizations in sectors with stringent HR compliance requirements, such as finance, healthcare, and government, are particularly at risk.

European organizations should immediately upgrade Horilla HRMS installations to version 1.5.0 or later, where the vulnerability is fixed. Until upgrades can be performed, organizations should implement compensating controls such as restricting access to the document approval UI and endpoints via network segmentation or web application firewalls (WAFs) that enforce role-based access controls. Conduct thorough audits of document approval logs to detect unauthorized approvals and implement enhanced monitoring for anomalous approval activities. Additionally, enforce strict internal policies requiring multi-person approval workflows for critical HR documents to reduce the risk of unilateral fraudulent approvals. Regularly review and update user roles and permissions to ensure least privilege principles are applied. Finally, educate HR and IT staff about the vulnerability and the importance of timely patching and monitoring.