{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-20T22:30:11.777Z", "datePublished": "2026-01-22T03:39:06.216Z", "dateUpdated": "2026-01-22T12:33:39.694Z"}, "containers": {"cna": {"title": "Horilla HR has 2FA Bypass through its OTP Handling Logic", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf"}, {"name": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"version": ">= 1.4.0, < 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T03:39:06.216Z"}, "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0."}], "source": {"advisory": "GHSA-hqpv-ff5v-3hwf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T12:33:17.546072Z", "id": "CVE-2026-24038", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:33:39.694Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24038", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-22T12:33:17.546072Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:33:31.232Z"}}], "cna": {"title": "Horilla HR has 2FA Bypass through its OTP Handling Logic", "source": {"advisory": "GHSA-hqpv-ff5v-3hwf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": ">= 1.4.0, < 1.5.0"}]}], "references": [{"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf", "name": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "name": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T03:39:06.216Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24038", "state": "PUBLISHED", "dateUpdated": "2026-01-22T12:33:39.694Z", "dateReserved": "2026-01-20T22:30:11.777Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T03:39:06.216Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "55143854-C369-4CAA-B671-90EFC9170F64", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0."}], "id": "CVE-2026-24038", "lastModified": "2026-01-29T18:54:50.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T04:15:59.890", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:53:58.862615+00:00", "value": {"mitigation_remediation": ["Upgrade Horilla to version 1.5.0 or later, which contains the OTP logic fix", "Configure the authentication endpoint to require the OTP field and reject requests that omit it or contain null values", "Enable monitoring and rate limiting on authentication attempts to detect and mitigate automated or repeated login attempts"], "summary": {"action": "Apply Patch", "impact": "Authentication bypass (two-factor authentication can be circumvented)"}, "threat_synthesis": {"affected_systems": "The issue exists in Horilla HRMS version 1.4.0, identified by the CPE string cpe:2.3:a:horilla:horilla:1.4.0. The vendor, Horilla Open Source, has released a patch in version 1.5.0 that resolves the vulnerability.", "description_and_impact": "A flaw in the OTP handling logic of Horilla makes the equality check between the user\u2011supplied OTP and the stored OTP perform a comparison with a None value when an OTP has expired. If an attacker omits the OTP field in a POST request, the request OTP is also None and the comparison succeeds, allowing an authenticated session without a valid code. This flaw permits a user to bypass the two\u2011factor authentication entirely, potentially granting full access to the system, including administrator accounts. The compromised account can then retrieve sensitive HR data, modify employee records, and execute additional actions across the platform, thereby affecting confidentiality, integrity, and availability.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.1, indicating high severity. The EPSS score is below 1%, implying a low overall exploitation probability at the current time, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack is likely remote, requiring an attacker to submit a crafted POST request to the authentication endpoint. Successful exploitation permits an attacker to authenticate and gain the same permissions as the targeted account, especially if the account is an administrator. While the exploitation probability is low, the potential impact on sensitive HR information and system integrity warrants prompt remediation."}}}}, "created": "2026-01-22T10:07:52.249501+00:00", "updated": "2026-04-18T04:00:08.412492+00:00", "vendors": ["horilla", "horilla$PRODUCT$horilla"]}