CVE-2026-24036 Overview
CVE-2026-24036 is an information disclosure vulnerability affecting Horilla, a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details/ endpoint without proper authentication controls. The vulnerable endpoint returns sensitive draft job titles, descriptions, and application links, allowing unauthenticated users to view unpublished roles and access the application workflow for jobs that have not been made public.
Critical Impact
Unauthorized access to unpublished job posts can leak sensitive internal hiring information, potentially revealing strategic business plans, salary ranges, and organizational changes before official announcements, while also causing confusion among candidates who may apply for positions not yet approved for publication.
Affected Products
- Horilla HRMS versions 1.4.0 and above
- Horilla HRMS versions prior to 1.5.0
Discovery Timeline
- 2026-01-22 - CVE CVE-2026-24036 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-24036
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control), which occurs when an application does not properly restrict access to a resource from an unauthorized actor. In the case of Horilla HRMS, the recruitment module fails to verify whether job postings have been published before returning their details to requesting users.
The core issue lies in the recruitment details view function, which queries the database for recruitment records based solely on the provided ID parameter without filtering for publication status. This allows any user—authenticated or not—to enumerate recruitment IDs and retrieve information about draft, pending, or otherwise unpublished job postings.
The vulnerability is exploitable over the network without any user interaction required, and attackers need no privileges or authentication to access the sensitive information. While the confidentiality impact is limited to exposure of unpublished recruitment data, this can have significant business implications for organizations using Horilla for their HR processes.
Root Cause
The root cause of CVE-2026-24036 is missing access control validation in the recruitment details endpoint. The original implementation in recruitment/views/views.py and recruitment/views/surveys.py did not include the is_published=True filter when querying recruitment records. This oversight allowed the retrieval of recruitment data regardless of its publication status.
Additionally, the recruitment_details function lacked the @hx_request_required decorator, which would have added an additional layer of request validation.
Attack Vector
The attack vector for this vulnerability is straightforward:
- An attacker identifies a Horilla HRMS installation accessible over the network
- The attacker crafts requests to the /recruitment/recruitment-details/{id}/ endpoint
- By incrementing or brute-forcing the recruitment ID parameter, the attacker can enumerate and access unpublished job postings
- The response includes draft job titles, descriptions, and application links that should remain private
The following code shows the security patch applied to recruitment/views/surveys.py:
return redirect("open-recruitments")
try:
- recruitment = Recruitment.objects.filter(id=recruitment_id).first()
+ recruitment = Recruitment.objects.filter(
+ id=recruitment_id, is_published=True
+ ).first() # Only create applications for published recruitments.
if not recruitment:
messages.error(request, _("Recruitment not found"))
return redirect("open-recruitments")
Source: GitHub Commit 9a585a1
The fix in recruitment/views/views.py adds the @hx_request_required decorator:
return response
+@hx_request_required
def recruitment_details(request, id):
"""
This method is used to render the recruitment details page
Source: GitHub Commit 9a585a1
Detection Methods for CVE-2026-24036
Indicators of Compromise
- Unusual access patterns to /recruitment/recruitment-details/ endpoints with sequential or randomized ID parameters
- HTTP requests to recruitment detail endpoints from unauthenticated sessions
- Access logs showing enumeration attempts across multiple recruitment IDs in short time periods
- Requests to recruitment endpoints from external IP addresses or unexpected geographic locations
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block enumeration attempts on recruitment endpoints
- Configure intrusion detection systems (IDS) to alert on unusual patterns of requests to the recruitment module
- Monitor application logs for access to recruitment details without corresponding authentication events
- Deploy anomaly detection to identify bulk requests to recruitment-related URLs
Monitoring Recommendations
- Enable detailed access logging for all recruitment module endpoints
- Set up alerts for unauthenticated requests to sensitive recruitment endpoints
- Implement rate limiting on recruitment detail endpoints to slow enumeration attacks
- Regularly audit access logs for patterns consistent with information gathering reconnaissance
How to Mitigate CVE-2026-24036
Immediate Actions Required
- Upgrade Horilla HRMS to version 1.5.0 or later immediately
- Review access logs for evidence of exploitation prior to patching
- Audit any unpublished job postings for sensitive information that may have been exposed
- Consider temporarily restricting external access to the Horilla application until patching is complete
Patch Information
The vulnerability has been fixed in Horilla HRMS version 1.5.0. The patch adds the is_published=True filter to recruitment queries and implements the @hx_request_required decorator on the recruitment details view. Organizations should upgrade to version 1.5.0 or later to remediate this vulnerability.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-q4xr-w96p-3vg7 and the Horilla 1.5.0 Release.
Workarounds
- Implement network-level access controls to restrict access to the Horilla application to authorized networks only
- Deploy a reverse proxy or WAF to block unauthenticated requests to /recruitment/recruitment-details/ endpoints
- Temporarily disable the recruitment module if not actively needed until the patch can be applied
- Implement authentication requirements at the web server level for all recruitment-related paths
# Example nginx configuration to restrict recruitment endpoint access
location /recruitment/recruitment-details/ {
# Require authentication or restrict to internal networks
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Or use basic authentication as temporary measure
# auth_basic "Restricted Access";
# auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://horilla_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
