CRITICALCVE-2026-44442Published 2026-05-13Modified 2026-05-14CNA GitHub_M

CVE-2026-44442: ERPNext: Unauthorised Document modification due to missing validation

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

frappe / erpnext
< 16.9.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/frappe/erpnext/security/advisories/GHSA-cg5w-7g26-p3w9

Metrics