Frappe HR vulnerable to Improper Access Control_CVE-2026-40888

6.5 / 10

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Basic Information

ID CVE-2026-40888

Source GitHub_M

Published Apr 21, 2026 at 19:28

Modified Apr 21, 2026 at 19:43

Affected Product

Vendor frappe

Product hrms

Version < 15.58.1

Affected Versions frappe hrms < 15.58.1
frappe hrms < 16.4.1

CWE Classification

CWE-284

References

{
    "lastseen": "",
    "description": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.",
    "published": "2026-04-21T19:28:28.849Z",
    "modified": "2026-04-21T19:43:37.506Z",
    "type": "cve",
    "title": "Frappe HR vulnerable to Improper Access Control",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx\nhttps://github.com/frappe/hrms/releases/tag/v15.58.1\nhttps://github.com/frappe/hrms/releases/tag/v16.4.1",
    "id": "CVE-2026-40888",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "frappe hrms < 15.58.1\nfrappe hrms < 16.4.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hrms",
    "version": "< 15.58.1",
    "vendor": "frappe",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}