Executive Summary

CVE-2026-39348 is a vulnerability in OrangeHRM Open Source versions 5.0 through 5.8 where authorization checks are missing in the job specification and vacancy attachment download handlers.

This means that authenticated users with low privileges can access and download job-related attachments by directly referencing attachment identifiers, bypassing the intended access controls.

The vulnerability is due to missing authorization enforcement in subclasses of the AbstractFileController, specifically in the file download handlers.

It was fixed in version 5.8.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized disclosure of job specification and vacancy attachments, potentially exposing confidential job-related information to low-privilege authenticated users.

The confidentiality impact is rated as low, and there is no impact on system integrity or availability.

An attacker can exploit this remotely without any special conditions or user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if unauthorized access to job specification and vacancy attachments is possible by authenticated low-privilege users. Specifically, testing whether attachments can be downloaded by directly referencing attachment identifiers without proper authorization checks is key.

To detect this on your system, you can attempt to access attachment download URLs with a low-privilege authenticated user account and observe if the attachments are accessible.

Example commands might include using curl or wget with authenticated session cookies or tokens to request attachment URLs directly, such as:

• curl -b cookies.txt https://your-orangehrm-instance.com/download/attachment?id=ATTACHMENT_ID
• wget --load-cookies cookies.txt https://your-orangehrm-instance.com/download/attachment?id=ATTACHMENT_ID

Replace ATTACHMENT_ID with actual attachment identifiers and ensure the session corresponds to a low-privilege user. If the attachments are accessible without authorization errors, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OrangeHRM Open Source to version 5.8.1 or later, where this vulnerability has been fixed by adding proper authorization checks.

Until the upgrade can be performed, restrict access to the attachment download handlers to only trusted users or implement additional access controls at the network or application level to prevent unauthorized attachment downloads.

Additionally, monitor and audit access logs for suspicious attachment download attempts by low-privilege users.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized disclosure of job specification and vacancy attachments by authenticated low-privilege users due to missing authorization checks. Although the confidentiality impact is rated as low, the exposure of potentially sensitive job-related information could have implications for compliance with data protection regulations such as GDPR or HIPAA, which require proper access controls to protect personal and sensitive data.

Organizations using affected versions of OrangeHRM Open Source (5.0 to 5.8) should consider this vulnerability as a risk to confidentiality and ensure they upgrade to version 5.8.1 or later to maintain compliance with standards that mandate strict authorization and data protection measures.

Useful 0 Not Useful 0