CVE-2026-39345
Local File Read via Email Template Path in OrangeHRM
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orangehrm | orangehrm | From 5.0 (inc) to 5.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39345 is a vulnerability in OrangeHRM Open Source versions 5.0 through 5.8 where the system fails to properly restrict the resolution of email template file paths to the intended plugins directory.
This flaw allows an authenticated user with high privileges who can influence the email template path to perform a path traversal attack, enabling them to read arbitrary local files on the server.
The vulnerability arises because the software does not properly sanitize special path elements like "../", allowing access outside the restricted directory.
It was fixed in version 5.8.1 of OrangeHRM.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with high privileges to read arbitrary local files on the server, potentially exposing confidential information stored on the system.
Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with elevated privileges to read arbitrary local files on the server hosting OrangeHRM.
While the initial confidentiality impact is low, the ability to read arbitrary files can lead to exposure of sensitive or confidential information stored on the server, which can have serious consequences.
There is no direct impact on system integrity or availability from this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if your OrangeHRM Open Source installation is running a version between 5.0 and 5.8 inclusive, as these versions are affected.
Since the vulnerability involves an authenticated user with high privileges manipulating the email template path to read arbitrary local files, detection can involve checking for unusual or unauthorized access patterns to email template files or attempts to access files outside the intended plugins directory.
Specific commands are not provided in the available resources, but general detection steps could include:
- Reviewing application logs for suspicious template path parameters or file access attempts.
- Using file integrity monitoring tools to detect unexpected file reads or accesses.
- Checking the version of OrangeHRM installed by running commands like `dpkg -l | grep orangehrm` on Debian-based systems or inspecting the application version via its interface or deployment metadata.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade OrangeHRM Open Source to version 5.8.1 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the application to only trusted authenticated users with high privileges, as the vulnerability requires such privileges to be exploited.
Additionally, monitor and audit email template path usage and file access patterns to detect any attempts to exploit the vulnerability.