CVE-2026-39346

OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fixed in 5.8.1.

INFO

Published Date :

2026-04-07T18:19:24.388Z

Last Modified :

2026-04-09T16:05:10.333Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39346 vulnerability.

Vendors	Products
Orangehrm	Orangehrm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39346.

URL	Resource
https://github.com/orangehrm/orangehrm/security/advisories/GHSA-f254-w9w8-xc8q

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact