OrangeHRM Open Source versions 5.0 through 5.8 contain an improper access control flaw that allows authenticated users to circumvent administrator‑configured disabled modules. By crafting URL‑encoded request paths, a user can invoke functionality that should be inaccessible, effectively bypassing the module disablement. This bypassability permits the unintended use of disabled features, potentially exposing or altering data that the administrator intended to restrict. The weakness hinges on a flaw in access control enforcement and is identified as CWE‑284.

The vulnerability affects OrangeHRM, specifically the Open Source edition covering semantic versions 5.0 to 5.8. Administrators who have disabled certain modules can unintentionally grant users access to those modules via the exploit. The fix is available in OrangeHRM 5.8.1, which properly enforces access restrictions on URL‑encoded paths.

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not catalogued as a known exploited vulnerability by CISA, and no public workaround is supplied. Exploitation requires valid authentication and the ability to craft URL requests to the application, indicating that the attack vector is likely insider or compromised user credentials. System administrators should treat the issue as requiring a patch given the moderate impact and low but non‑zero risk of exposure.