CVE-2026-39346
Access Control Bypass in OrangeHRM Modules via URL Encoding
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orangehrm | orangehrm | From 5.0 (inc) to 5.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39346 is a vulnerability in OrangeHRM Open Source versions 5.0 through 5.8 that allows authenticated users to bypass access controls on modules that have been disabled by an administrator.
This bypass occurs because the system does not properly enforce access restrictions when URL-encoded request paths are used, enabling users to access functionality of disabled modules.
The vulnerability can be exploited remotely over a network by users with low-level privileges and does not require any interaction from other users.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to certain information and limited unauthorized modification of data within the OrangeHRM system.
- Confidentiality impact is low, meaning some sensitive information might be exposed.
- Integrity impact is low, indicating limited unauthorized changes to data may occur.
- There is no impact on system availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OrangeHRM Open Source to version 5.8.1 or later, where the issue has been fixed.
Since the vulnerability allows authenticated users to bypass disabled-module access controls via URL-encoded request paths, ensuring that all users have appropriate privileges and restricting access to trusted users can help reduce risk until the patch is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves bypassing disabled-module access controls in OrangeHRM Open Source versions 5.0 to 5.8 by using URL-encoded request paths. Detection involves monitoring for unusual or unauthorized access attempts to disabled modules via URL-encoded paths.
To detect exploitation attempts on your system or network, you can analyze web server logs for requests containing URL-encoded paths targeting modules that should be disabled.
- Use grep or similar tools to search for URL-encoded characters in access logs, for example: grep -i '%2f' /var/log/apache2/access.log
- Look for requests from authenticated users accessing disabled modules by checking session or authentication logs correlated with suspicious URL-encoded requests.
- Use network monitoring tools to detect unusual HTTP requests with encoded paths that bypass access controls.
Note that no specific detection commands are provided in the available resources, so these suggestions are general approaches based on the nature of the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users to bypass access controls on disabled modules, potentially leading to unauthorized access to some information.
Such unauthorized access could pose risks to compliance with standards and regulations like GDPR and HIPAA, which require strict access controls to protect personal and sensitive data.
However, the impact on confidentiality and integrity is rated as low, and there is no impact on availability.
Therefore, while the vulnerability may increase the risk of non-compliance due to unauthorized access, the extent of the impact depends on the sensitivity of the data accessible through the disabled modules.