Frappe ERPNext up to 15.98.0/16.6.0 authorization

Summaryinfo

A vulnerability has been found in Frappe ERPNext up to 15.98.0/16.6.0 and classified as critical. The affected element is an unknown function. This manipulation causes authorization. This vulnerability is tracked as CVE-2026-27471. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability has been found in Frappe ERPNext up to 15.98.0/16.6.0 and classified as critical. Affected by this vulnerability is an unknown part. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2026-27471 since 02/19/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 15.98.1 or 16.6.1 eliminates this vulnerability. Applying the patch 78fc9424d9085c2eafe1211931e22d7044f85fc7 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• Frappe

Name

• ERPNext

Version

• 15.0
• 15.1
• 15.2
• 15.3
• 15.4
• 15.5
• 15.6
• 15.7
• 15.8
• 15.9
• 15.10
• 15.11
• 15.12
• 15.13
• 15.14
• 15.15
• 15.16
• 15.17
• 15.18
• 15.19
• 15.20
• 15.21
• 15.22
• 15.23
• 15.24
• 15.25
• 15.26
• 15.27
• 15.28
• 15.29
• 15.30
• 15.31
• 15.32
• 15.33
• 15.34
• 15.35
• 15.36
• 15.37
• 15.38
• 15.39
• 15.40
• 15.41
• 15.42
• 15.43
• 15.44
• 15.45
• 15.46
• 15.47
• 15.48
• 15.49
• 15.50
• 15.51
• 15.52
• 15.53
• 15.54
• 15.55
• 15.56
• 15.57
• 15.58
• 15.59
• 15.60
• 15.61
• 15.62
• 15.63
• 15.64
• 15.65
• 15.66
• 15.67
• 15.68
• 15.69
• 15.70
• 15.71
• 15.72
• 15.73
• 15.74
• 15.75
• 15.76
• 15.77
• 15.78
• 15.79
• 15.80
• 15.81
• 15.82
• 15.83
• 15.84
• 15.85
• 15.86
• 15.87
• 15.88
• 15.89
• 15.90
• 15.91
• 15.92
• 15.93
• 15.94
• 15.95
• 15.96
• 15.97
• 15.98.0
• 16.0
• 16.1
• 16.2
• 16.3
• 16.4
• 16.5
• 16.6.0

License

• open-source

Website

• Product: https://github.com/frappe/erpnext/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion