Description
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability is fixed in 5.8.1.
Published: 2026-04-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity
Action: Immediate Patch
AI Analysis

Impact

Administrator users can alter self‑appraisal submissions after they have been marked completed, overturning the integrity of finalized appraisal records. This flaw allows a privileged attacker to change performance data that may shape HR decisions, promotions, or disciplinary actions. The weakness is an improper access control violation (CWE‑285).

Affected Systems

OrangeHRM Open Source releases from 5.0 through 5.8 are vulnerable. The issue is present in all 5.x versions up to and including 5.8 and was resolved in 5.8.1. Users of any impacted version should verify their current build against the fixed release.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk, while an EPSS score below 1 percent suggests low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known active exploits exist. The likely attack vector requires authenticated administrator access; an attacker who can log on as an admin can edit appraisal records after completion.

Generated by OpenCVE AI on April 9, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OrangeHRM to version 5.8.1 or later.

Generated by OpenCVE AI on April 9, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Orangehrm
Orangehrm orangehrm
Vendors & Products Orangehrm
Orangehrm orangehrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability is fixed in 5.8.1.
Title OrangeHRM's Self‑Appraisal Submission of Admin Users Can Be Modified After Completion
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Orangehrm Orangehrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:17:56.930Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39347

cve-icon Vulnrichment

Updated: 2026-04-09T15:05:20.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T19:16:45.780

Modified: 2026-04-09T18:25:04.570

Link: CVE-2026-39347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:16Z

Weaknesses