How to fix CVE-2026-40865?

Within 24 hours: Audit API access logs for document ID manipulation patterns and identify affected employees. Notify your Horilla vendor contact to confirm patch timeline for version 1.5.0 and request interim security guidance. Within 7 days: Implement network-level API request logging and consider rate-limiting or IP-based access controls on the document viewer API endpoint. Within 30 days: Deploy patched version of Horilla HRMS as soon as vendor release is available, or migrate to alternative HRMS if no patch timeline is provided by vendor.

Is Horilla HRMS affected by CVE-2026-40865?

Horilla HRMS 1.5.0 contains an insecure direct object reference vulnerability that allows authenticated employees to access other employees' sensitive HR documents-including identity documents, contracts, and certificates-by manipulating API requests.

Horilla HRMS CVE-2026-40865

EUVD-2026-24231 HIGH

Improper Access Control (CWE-284)

2026-04-21 GitHub_M

Authentication Bypass

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:07 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 19:47 vuln.today

CVSS changed

Apr 21, 2026 - 19:22 NVD

7.1 (HIGH)

DescriptionNVD

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records.

AnalysisAI

Insecure direct object reference in Horilla HRMS 1.5.0 employee document viewer allows authenticated users to access other employees' sensitive HR files by manipulating document IDs in API requests. Successful exploitation exposes identity documents, employment contracts, certificates, and other confidential employee records. …

RemediationAI

Within 24 hours: Audit API access logs for document ID manipulation patterns and identify affected employees. Notify your Horilla vendor contact to confirm patch timeline for version 1.5.0 and request interim security guidance. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40865 vulnerability details – vuln.today

Back

Horilla HRMS CVE-2026-40865

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Horilla HRMS CVE-2026-40865

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code