CVE-2026-40867

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams.

CVSS

No CVSS.

References

Link	Resource
https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff
https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff

Configurations

No configuration.

History

21 Apr 2026, 21:16

Type	Values Removed	Values Added
References	~~() https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff -~~	() https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff -

21 Apr 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-21 19:16

Updated : 2026-04-22 21:05

NVD link : CVE-2026-40867

Mitre link : CVE-2026-40867

CVE.ORG link : CVE-2026-40867

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-40867", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-21T19:16:18.293", "references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff", "source": "security-advisories@github.com"}, {"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams."}], "lastModified": "2026-04-22T21:05:56.673", "sourceIdentifier": "security-advisories@github.com"}