Authorization Bypass in OrangeHRM Human Resource Management System
CVE-2026-39348

5.3MEDIUM

Key Information:

Vendor: Orangehrm
Status: Orangehrm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39348?

The OrangeHRM Open Source human resource management system suffers from an authorization bypass vulnerability affecting versions 5.0 to 5.8. This flaw allows authenticated low-privilege users to access and download job specification and vacancy attachments without proper authorization, through direct references to attachment identifiers. A patch addressing this issue is included in version 5.8.1.

Affected Version(s)

orangehrm >= 5.0, < 5.8.1

References

https://github.com/orangehrm/orangehrm/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39348 Data

JSON

Orangehrm

What is CVE-2026-39348?

Affected Version(s)

References

CVSS V4

Timeline