Primary

Context

OrangeHRM Open Source Job Attachment Authorization Vulnerability

Vulnerability

Patched

An authorization vulnerability has been identified in OrangeHRM Open Source versions 5.0 through 5.8. The issue arises in the job specification and vacancy attachment download handlers, where authorization checks are omitted. This flaw allows authenticated low-privilege users to access attachments by directly referencing attachment identifiers.

Impact

Exploitation of this vulnerability could lead to unauthorized access to job specification and vacancy attachments, allowing low-privilege users to read these files without proper authorization.

Remediation

Users can upgrade to OrangeHRM Open Source version 5.8.1 to address this vulnerability.

Added: Apr 7, 2026, 8:01 PM

Updated: Apr 7, 2026, 8:01 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OrangeHRM Open Source Job Attachment Authorization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

OrangeHRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating