Description
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.
Published: 2026-05-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from missing authorization checks on several ERPNext endpoints, which allows authenticated users to modify documents that should be outside their permitted roles. Because the system relies on role-based access control, the flaw effectively permits users to tamper with critical business data, leading to integrity violations and potential downstream business process disruption. The weakness is classified as CWE-862, indicating improper authorization.

Affected Systems

The affected product is the ERPNext application developed by the Frappe framework. Versions prior to 15.102.0 and 16.11.0 are vulnerable. Users running any of these releases are at risk unless they patch to the mentioned fixed releases or later.

Risk and Exploitability

The CVSS base score is 5.9, characterizing a moderate level of risk. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited publicly known exploitation. However, because any authenticated user with a role lower than administrator can invoke the affected endpoints, the likelihood of exploitation remains significant in environments where internal users have broad permissions or where remote administration is possible. Immediate patching is recommended to eliminate the risk.

Generated by OpenCVE AI on May 13, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ERPNext to version 15.102.0 or 16.11.0 (or later) to apply the official fix.
  • Verify that role-based permissions enforce proper authorization checks on all document handling endpoints; adjust any custom roles that may bypass these controls.
  • If an upgrade cannot be performed immediately, restrict network access to the affected endpoints or disable them via application settings to reduce the attack surface.

Generated by OpenCVE AI on May 13, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Vendors & Products Frappe
Frappe erpnext

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.
Title ERPNext: Unauthorised Document modification due to missing validation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:41:34.715Z

Reserved: 2026-05-06T15:49:25.192Z

Link: CVE-2026-44448

cve-icon Vulnrichment

Updated: 2026-05-14T12:41:31.093Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:45.913

Modified: 2026-05-15T16:20:17.270

Link: CVE-2026-44448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:30:06Z

Weaknesses