Description
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized information disclosure via improper access control
Action: Apply Patch
AI Analysis

Impact

Frappe HR allows an authenticated user with a default role to call a specific API endpoint that returns information they are not permitted to see. The flaw is an example of CWE‑284 – improper access control. This results in confidential HR data being disclosed to users who should not have access, potentially exposing personal employee information.

Affected Systems

Versions of Frappe HR released before 15.58.1 and 16.4.1 are affected. The vulnerability is present in the frappe:hrms product for all older releases; applying the patch found in those releases resolves the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact. The exploit requires an authenticated account but no special privileges beyond the default role, making it likely that a legitimate user could locate the vulnerable endpoint. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the lack of a public exploit does not reduce the risk of data exfiltration in a production environment.

Generated by OpenCVE AI on April 22, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe HR to at least version 15.58.1 or 16.4.1 where the patch has been applied.
  • If an upgrade is not immediately feasible, restrict the default role’s permissions or remove access to the vulnerable endpoint until patching can occur.
  • Monitor API access logs for unexpected usage patterns to detect potential exploitation while the vulnerability remains unpatched.

Generated by OpenCVE AI on April 22, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe hrms
Vendors & Products Frappe
Frappe hrms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.
Title Frappe HR vulnerable to Improper Access Control
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Frappe Hrms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:43:37.506Z

Reserved: 2026-04-15T16:37:22.765Z

Link: CVE-2026-40888

cve-icon Vulnrichment

Updated: 2026-04-21T19:43:33.793Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:02.537

Modified: 2026-04-21T20:17:02.537

Link: CVE-2026-40888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:32Z

Weaknesses