OrangeHRM Flaw: Local File Reads for Authenticated Users
CVE Notify is flagging a critical vulnerability, CVE-2026-39345, impacting OrangeHRM Open Source versions 5.0 through 5.8. The issue stems from a failure to properly restrict email template file resolution, allowing authenticated users to potentially read arbitrary local files on the system. This means an attacker with legitimate login credentials could exploit this flaw to access sensitive information stored on the server.
According to CVE Notify, the root cause lies in how the system handles template paths. By manipulating these paths, an authenticated actor can trick OrangeHRM into fetching and revealing the contents of files outside the intended plugins directory. This vulnerability has been patched in version 5.8.1, so organizations still running vulnerable versions are urged to update immediately.
What This Means For You
- Verify that all instances of OrangeHRM Open Source are updated to version 5.8.1 or later to mitigate the risk of unauthorized local file disclosure.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-39345 | Path Traversal | OrangeHRM Open Source 5.0 to 5.8, fails to restrict email template file resolution, allowing arbitrary local file read. |
| CVE-2026-39345 | Information Disclosure | OrangeHRM Open Source 5.0 to 5.8, authenticated actor can influence template path to read arbitrary local files. |