Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16.0.
Published: 2026-05-13
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted request to a specific ERPNext endpoint could cause the server to issue an HTTP call to an arbitrary service chosen by an attacker. This Server‑Side Request Forgery allows an authenticated user to access internal or external resources, potentially exposing confidential data or enabling lateral movement within the network. The vulnerability does not directly grant code execution, but it can be leveraged to enumerate network hosts, extract secrets, or pivot to other systems.

Affected Systems

ERPNext, developed by frappe, was vulnerable in all releases before 15.106.0 and 16.16.0. Any authenticated user could exploit this flaw. The fix was introduced in the stated versions, so all deployments running older versions are affected. The tool is open‑source and widely deployed in small‑to‑medium enterprises and internal environments.

Risk and Exploitability

The CVSS score of 5.0 indicates a moderate risk level. No EPSS value is available, so the likelihood of exploitation cannot be quantified from the data. The flaw is not listed in CISA’s KEV catalog. Based on the description, the most likely attack vector is line‑of‑sight through the vulnerable HTTP endpoint, requiring authentication but not privileged roles.

Generated by OpenCVE AI on May 13, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ERPNext to version 15.106.0 or later, or 16.16.0 or later, where the SSRF issue has been resolved.
  • If upgrading cannot be performed immediately, block outbound HTTP traffic from the ERPNext server to internal services or disable the vulnerable endpoint via configuration or firewall rules.
  • Ensure the ERPNext instance is accessed only through authenticated users and consider network segmentation to limit exposure to internal resources.

Generated by OpenCVE AI on May 13, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Vendors & Products Frappe
Frappe erpnext

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16.0.
Title ERPNext: Possible SSRF by any authenticated user
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:50:24.851Z

Reserved: 2026-05-06T14:40:00.955Z

Link: CVE-2026-44441

cve-icon Vulnrichment

Updated: 2026-05-14T12:50:21.189Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:45.177

Modified: 2026-05-14T20:10:48.240

Link: CVE-2026-44441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:00:07Z

Weaknesses