Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0.
References
| Link | Resource |
|---|---|
| https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 | Release Notes |
| https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf | Exploit Vendor Advisory |
Configurations
History
29 Jan 2026, 18:54
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:* | |
| First Time |
Horilla
Horilla horilla |
|
| References | () https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 - Release Notes | |
| References | () https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf - Exploit, Vendor Advisory |
22 Jan 2026, 04:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-22 04:15
Updated : 2026-01-29 18:54
NVD link : CVE-2026-24038
Mitre link : CVE-2026-24038
CVE.ORG link : CVE-2026-24038
JSON object : View
Products Affected
horilla
- horilla
CWE
CWE-287
Improper Authentication