Description
Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Frappe HRMS Leave Details API prevented proper authorization checks, allowing any authenticated employee to retrieve other employees’ leave records. This defect exposes sensitive personnel information and violates confidentiality requirements, as it can be exploited via a standard privilege‑bypass scenario. The flaw maps to CWE‑863, an improper authorization weakness.

Affected Systems

The vulnerability affects the Frappe HRMS product. All installations running a version earlier than 16.5.0 are impacted; the fix was released in the 16.5.0 update.

Risk and Exploitability

With a CVSS score of 6.5 the issue is considered moderate. No EPSS score is available, and the vulnerability has not been listed in the CISA KEV catalog, indicating no documented exploitation at this time. The attack requires legitimate user credentials and exploits the application’s internal authorization logic. Once the system is updated to 16.5.0 or later, the risk is mitigated.

Generated by OpenCVE AI on May 27, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe HRMS to version 16.5.0 or higher to apply the authorization fix.
  • Re‑evaluate and adjust role‑based access controls so that only authorized managers or HR personnel can query leave details.
  • Audit past leave data access logs for any unauthorized retrievals and consider resetting the affected records if necessary.

Generated by OpenCVE AI on May 27, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.
Title Frappe HR: Permission Bypass in HRMS Leave Details API
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:26:47.576Z

Reserved: 2026-05-08T18:45:10.097Z

Link: CVE-2026-45081

cve-icon Vulnrichment

Updated: 2026-05-27T18:26:15.239Z

cve-icon NVD

Status : Received

Published: 2026-05-27T18:16:24.433

Modified: 2026-05-27T18:16:24.433

Link: CVE-2026-45081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses