CVE-2026-24038
Published: 22 January 2026
Summary
CVE-2026-24038 is a high-severity Improper Authentication (CWE-287) vulnerability in Horilla Horilla. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly manages OTP authenticators to ensure sufficient strength of mechanism and proper handling, preventing flawed equality checks that allow bypass via None values.
Requires validation of inputs like the OTP field in POST requests, rejecting omitted or invalid OTPs to block authentication bypass attempts.
Mandates timely identification, reporting, and correction of software flaws such as the OTP handling logic vulnerability, enabling patching to Horilla 1.5.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-exploitable auth bypass in public-facing HRMS web app enables unauthorized use of valid accounts by defeating 2FA checks.
NVD Description
Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker…
more
omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0.
Deeper analysisAI
CVE-2026-24038 is a vulnerability in Horilla, a free and open source Human Resource Management System (HRMS), affecting version 1.4.0. The flaw resides in the OTP handling logic, which performs an incorrect equality check that can be bypassed. Specifically, when an OTP expires, the server returns None; an attacker can omit the otp field from their POST request, making the user-supplied OTP None as well, causing the comparison user_otp == otp to pass falsely and bypass two-factor authentication without providing a valid OTP.
The vulnerability has a CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating exploitation over the network with low complexity, requiring low privileges, no user interaction, and resulting in high impacts to confidentiality and integrity. An attacker who can initiate a login process—such as knowing a target username—can exploit this to fully bypass 2FA. Targeting administrative accounts enables compromise of sensitive HR data, manipulation of employee records, and broader system abuse, classified under CWE-287 (Improper Authentication).
The issue is fixed in Horilla version 1.5.0. Mitigation details are available in the GitHub security advisory at https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf and the release notes at https://github.com/horilla-opensource/horilla/releases/tag/1.5.0.
Details
- CWE(s)