Description
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifiers. This vulnerability is fixed in 5.8.1.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of job specification and vacancy attachments
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from missing authorization checks in the file download handlers of OrangeHRM Open Source versions 5.0 through 5.8. This allows any authenticated user with low privileges to download attachments by directly referencing attachment identifiers, resulting in the unintended disclosure of potentially sensitive HR data such as job specifications and vacancy attachments.

Affected Systems

OrangeHRM Open Source, versions 5.0 to 5.8 inclusive.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and an EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The exploitation requires a legitimate authenticated session and knowledge of attachment identifiers, exposing the system to confidentiality risks. The vulnerability is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on April 10, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to upgrade to OrangeHRM version 5.8.1 or later.

Generated by OpenCVE AI on April 10, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Orangehrm
Orangehrm orangehrm
Vendors & Products Orangehrm
Orangehrm orangehrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifiers. This vulnerability is fixed in 5.8.1.
Title OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Orangehrm Orangehrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:43:33.902Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39348

cve-icon Vulnrichment

Updated: 2026-04-08T18:43:28.719Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T19:16:45.923

Modified: 2026-04-10T19:33:25.540

Link: CVE-2026-39348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:24Z

Weaknesses