CVE-2026-39349 LOW

CVE-2026-39349: OrangeHRM Uses AES-ECB for Sensitive Data Encryption Enables Pattern Disclosure

Vendor Orangehrm
Product orangehrm
Weakness CWE-326 · Weak encryption
Published April 7, 2026
Last update April 7, 2026

CVSS base score

2.1/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability is fixed in 5.8.1.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 7, 2026 Record updated