Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.
Published: 2026-05-13
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Certain API endpoints in ERPNext prior to version 16.9.1 fail to enforce proper authorization checks, allowing authenticated users to modify records that lie outside their permitted role boundaries. This flaw represents a serious breach of data integrity and confidentiality by enabling unauthorized changes to business documents. It is classified under CWE‑862, Improper Privilege Management, reflecting a failure to restrict operation access based on user roles.

Affected Systems

All installations of ERPNext built on frappe:erpnext that are running any version earlier than 16.9.1 are affected. The issue was resolved in the 16.9.1 release; any deployment that has not upgraded to at least that patch level remains vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.9, marking it as critical. No EPSS score is currently available, and it is not listed in the CISA KEV catalog, but the lack of mitigations in earlier releases leaves a clear attack path. Because the flaw permits policy bypass via standard authenticated requests, an attacker only needs a legitimate user session—no elevated privileges or special conditions are required—to craft malicious updates through the web interface or API endpoints that lack proper role validation.

Generated by OpenCVE AI on May 13, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ERPNext update (v16.9.1 or later) to include the authorization fix.
  • If an immediate upgrade is not feasible, isolate or disable the affected endpoints and enforce stricter role‑based access controls through custom middleware or configuration.
  • Audit existing user roles and permissions to ensure least‑privilege principles, and monitor logs for any unauthorized document modifications to detect exploitation attempts.

Generated by OpenCVE AI on May 13, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Vendors & Products Frappe
Frappe erpnext

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.
Title ERPNext: Unauthorised Document modification due to missing validation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:52:05.513Z

Reserved: 2026-05-06T14:40:00.955Z

Link: CVE-2026-44442

cve-icon Vulnrichment

Updated: 2026-05-14T16:04:00.465Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:45.350

Modified: 2026-05-14T20:04:02.837

Link: CVE-2026-44442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:30:06Z

Weaknesses