What is the CVSS score of CVE-2026-24038?

CVE-2026-24038 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Horilla are affected by CVE-2026-24038?

Organizations using Horilla face notable risk from CVE-2026-24038, a improper authentication vulnerability rated CVSS 8.1.

Is there a public PoC exploit available for CVE-2026-24038?

Yes, a public proof-of-concept exploit is available for CVE-2026-24038. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-24038?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Audit authentication configurations and rotate any potentially compromised credentials.

Horilla CVE-2026-24038

HIGH

Improper Authentication (CWE-287)

2026-01-22 security-advisories@github.com

Authentication Bypass Horilla

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 29, 2026 - 18:54 vuln.today

Public exploit code

CVE Published

Jan 22, 2026 - 04:15 nvd

HIGH 8.1

DescriptionGitHub Advisory

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0.

AnalysisAI

Horilla HRMS versions prior to 1.5.0 allow authenticated attackers to bypass two-factor authentication due to improper OTP validation that treats missing OTP fields as valid when the OTP has expired. Public exploit code exists for this vulnerability, enabling attackers with user credentials to gain unauthorized access to accounts, particularly administrative accounts with access to sensitive HR data and employee records. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with valid credentials

Exploit

Omit OTP field from POST request

Execution

Bypass two-factor authentication check

Impact

Access authenticated resources