CVE-2026-40867

Horilla: Unauthorized Helpdesk Attachment Access via Attachment ID Manipulation

Description

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams.

INFO

Published Date :

2026-04-21T18:16:29.345Z

Last Modified :

2026-04-21T20:36:38.138Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-40867 vulnerability.

Vendors	Products
Horilla	Horilla

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40867.

URL	Resource
https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability