Description
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Disclosure
Action: Patch
AI Analysis

Impact

Frappe HR allowed authenticated users to read files they should not have access to by calling a specific API endpoint. This improper access control flaw, identified as CWE‑284, can expose confidential documents or data stored in the system, thereby compromising confidentiality. The vulnerability requires that the attacker be logged into the system but does not require any additional privileges beyond normal user credentials.

Affected Systems

The affected product is the open‑source HRMS known as Frappe HR (frappe:hrms). All releases before 15.58.2 and 16.4.2 suffer from this flaw; the advisory documents the patch in those two releases.

Risk and Exploitability

The CVSS score of 6.5 rates the issue as moderate, with an EPSS score unavailable and no listing in the CISA KEV catalog. Because the attack exploits an existing authenticated session, a user who can log in—possibly an employee or an compromised account—can download any accessible file through the vulnerable endpoint. No active exploit has been reported, but the path is straightforward once a user is authenticated.

Generated by OpenCVE AI on April 22, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to Frappe HR 15.58.2 or later 16.4.2.
  • If an upgrade cannot be performed immediately, block or restrict the vulnerable API endpoint so that only users with explicitly allowed roles can access it.
  • Inspect system logs for unexpected file download attempts and enforce the principle of least privilege in file‑access permissions.

Generated by OpenCVE AI on April 22, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe hrms
Vendors & Products Frappe
Frappe hrms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
Title Frappe HR has Improper Access Control on Files
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Frappe Hrms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:30:10.795Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40889

cve-icon Vulnrichment

Updated: 2026-04-22T13:30:06.999Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T20:17:02.680

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:31Z

Weaknesses