CVE-2026-39349

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability is fixed in 5.8.1.

CVSS Details

CVSS Score

2.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:* - VULNERABLE

OrangeHRM Open Source 5.0

OrangeHRM Open Source 5.1

OrangeHRM Open Source 5.2

OrangeHRM Open Source 5.3

OrangeHRM Open Source 5.4

OrangeHRM Open Source 5.5

OrangeHRM Open Source 5.6

OrangeHRM Open Source 5.7

OrangeHRM Open Source 5.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import binascii

# Simulating the vulnerable encryption mechanism in OrangeHRM
# In a real scenario, the key would be extracted from the configuration
key = b'0123456789ABCDEF'  # 16 bytes key for AES-128
cipher = AES.new(key, AES.MODE_ECB)

# Example 1: Encrypting a sensitive field (e.g., Salary: 5000)
data_1 = "Salary: 5000"
ct1 = cipher.encrypt(pad(data_1.encode(), AES.block_size))

# Example 2: Encrypting the same field again
data_2 = "Salary: 5000"
ct2 = cipher.encrypt(pad(data_2.encode(), AES.block_size))

# Example 3: Encrypting a different field (e.g., Salary: 6000)
data_3 = "Salary: 6000"
ct3 = cipher.encrypt(pad(data_3.encode(), AES.block_size))

print(f"Ciphertext 1 (Salary 5000): {binascii.hexlify(ct1).decode()}")
print(f"Ciphertext 2 (Salary 5000): {binascii.hexlify(ct2).decode()}")
print(f"Ciphertext 3 (Salary 6000): {binascii.hexlify(ct3).decode()}")

# Proof of Concept: ECB Mode Pattern Disclosure
if ct1 == ct2:
    print("\n[!] Vulnerability Confirmed: Identical plaintexts produce identical ciphertexts (Pattern Disclosure).")
else:
    print("\n[+] Safe: Ciphertexts differ.")

# Analysis: An attacker seeing ct1 and ct2 in the database knows the values are identical
# without knowing the actual key.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39349
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39349
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39349/
[4] VulDB https://vuldb.com/cve/CVE-2026-39349
[5] https://github.com/orangehrm/orangehrm/security/advisories/GHSA-g29m-3jgj-gprg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39349", "sourceIdentifier": "[email protected]", "published": "2026-04-07T19:16:46.067", "lastModified": "2026-04-10T19:32:40.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability is fixed in 5.8.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-326"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.8.1", "matchCriteriaId": "804C1EE9-4D17-4056-B3D6-1BDB9F0BB026"}]}]}], "references": [{"url": "https://github.com/orangehrm/orangehrm/security/advisories/GHSA-g29m-3jgj-gprg", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}