ERP: Document access through endpoints due to missing validation

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/

Description

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.

AI Analysis

Unauthorized document access due to missing validation in certain endpoints

Basic Information

ID CVE-2026-27471

Source GitHub_M

Published Feb 21, 2026 at 06:38

Affected Product

Vendor frappe

Product erpnext

Version >= 16.0.0-rc.1, < 16.6.1

Affected Versions frappe erpnext >= 16.0.0-rc.1, < 16.6.1
frappe erpnext < 15.98.1

CWE Classification

CWE-862 CWE-306 CWE-284

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Frappe

Product ERPNext

Version 15.98.0, 16.0.0-rc.1, 16.6.0

References

{
    "lastseen": "",
    "description": "ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.",
    "published": "2026-02-21T06:38:11.220Z",
    "modified": "2026-02-21T06:38:11.220Z",
    "type": "cve",
    "title": "ERP: Document access through endpoints due to missing validation",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/erpnext/security/advisories/GHSA-wpfx-jw7g-7f83\nhttps://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7",
    "id": "CVE-2026-27471",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862",
        "CWE-306",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "frappe erpnext >= 16.0.0-rc.1, < 16.6.1\nfrappe erpnext < 15.98.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "erpnext",
    "version": ">= 16.0.0-rc.1, < 16.6.1",
    "vendor": "frappe",
    "ai_description": "Unauthorized document access due to missing validation in certain endpoints",
    "ai_severity": "Critical",
    "ai_vendor": "Frappe",
    "ai_product": "ERPNext",
    "ai_version": "15.98.0, 16.0.0-rc.1, 16.6.0",
    "ai_score": 9.3
}

ERP: Document access through endpoints due to missing validation_CVE-2026-27471