{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40867", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T18:16:29.345Z", "dateUpdated": "2026-04-21T20:36:38.138Z"}, "containers": {"cna": {"title": "Horilla: Unauthorized Helpdesk Attachment Access via Attachment ID Manipulation", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff"}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"version": "1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:16:29.345Z"}, "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams."}], "source": {"advisory": "GHSA-j6qp-j853-qrff", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:54:03.761118Z", "id": "CVE-2026-40867", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:36:38.138Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40867", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:54:03.761118Z"}}}], "references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:54:13.906Z"}}], "cna": {"title": "Horilla: Unauthorized Helpdesk Attachment Access via Attachment ID Manipulation", "source": {"advisory": "GHSA-j6qp-j853-qrff", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": "1.5.0"}]}], "references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff", "name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:16:29.345Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40867", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:36:38.138Z", "dateReserved": "2026-04-15T15:57:41.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T18:16:29.345Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams."}], "id": "CVE-2026-40867", "lastModified": "2026-04-22T21:05:56.673", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:18.293", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "horilla", "source": "cna", "vendor": "horilla-opensource"}, "product": "horilla", "vendor": "horilla"}], "analysis": {"en": {"generated_at": "2026-04-22T06:46:12.513575+00:00", "value": {"mitigation_remediation": ["Upgrade to a Horilla release that includes the authorization fix for attachment access.", "If a patch is not yet available, restrict \u201cview attachment\u201d permissions to the appropriate role(s) or temporarily disable the attachment viewing endpoint.", "Audit helpdesk attachment logs for abnormal download activity and enforce stricter role-based access control policies to prevent unauthorized access."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to attachments"}, "threat_synthesis": {"affected_systems": "The issue affects the open-source Horilla HRMS, specifically version 1.5.0. Users running this version should be aware that any authenticated account can abuse this flaw to download attachments from unrelated users or teams.", "description_and_impact": "Horilla 1.5.0 contains a broken access control flaw in the helpdesk attachment viewer that allows any authenticated user to change the attachment ID and view attachments belonging to other tickets. The vulnerability, identified as CWE-284 and CWE-639, can expose confidential support files and internal documents, thereby compromising confidentiality and potentially allowing further exploitation if sensitive data is accessed.", "risk_and_exploitability": "With a CVSS score of 7.1 the vulnerability is of moderate to high severity. No EPSS score is available, but the vulnerability requires authentication and is not listed in the CISA KEV catalog, suggesting limited public exploitation to date. The attack vector is likely internal or restricted to organizations with Horilla installed; however, once login credentials are obtained or the system is compromised, an attacker can leverage the flaw to exfiltrate sensitive documents."}}}}, "created": "2026-04-22T07:00:12.119241+00:00", "updated": "2026-04-22T11:45:52.245068+00:00", "vendors": ["horilla", "horilla$PRODUCT$horilla"]}