Primary

Context

OrangeHRM Open Source Improper Access Control Vulnerability in Disabled Modules

Vulnerability

Patched

A vulnerability in OrangeHRM Open Source versions 5.0 through 5.8 allows authenticated users to bypass access controls for disabled modules. This is achieved through URL-encoded request paths, enabling access to functionalities of modules that an administrator has disabled. The issue has been fixed in version 5.8.1.

Impact

Exploiting this vulnerability could lead to unauthorized access to module functionalities that are meant to be disabled, potentially allowing users to manipulate or view information they should not have access to.

Remediation

Users can upgrade to OrangeHRM Open Source version 5.8.1 to address this vulnerability.

Added: Apr 7, 2026, 8:02 PM

Updated: Apr 7, 2026, 8:02 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OrangeHRM Open Source Improper Access Control Vulnerability in Disabled Modules

Vulnerability

Impact

Remediation

Affected Products

OrangeHRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating