Insufficient Authorization in OrangeHRM's Recruitment Attachment Retrieval Process
CVE-2025-66290

5.3MEDIUM

Key Information:

Vendor: Orangehrm
Status: Orangehrm
Vendor: CVE Published:; 29 November 2025

What is CVE-2025-66290?

In OrangeHRM versions 5.0 to 5.7, the application fails to properly enforce authorization checks for its recruitment attachment retrieval endpoint. This oversight allows authenticated users, even those with limited access rights, to gain unauthorized access to sensitive candidate information, such as CVs and other documents. Specifically, any user can exploit the attachment endpoint to download files for candidates without having the necessary permissions, exposing potentially confidential applicant data. This vulnerability has been addressed in version 5.8 of OrangeHRM.

Affected Version(s)

orangehrm >= 5.0, < 5.8

References

https://github.com/orangehrm/orangehrm/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2025
Vulnerability Reserved
Nov 26, 2025

CVE-2025-66290 Data

JSON

Orangehrm

What is CVE-2025-66290?

Affected Version(s)

References

CVSS V4

Timeline