CVE 9.9 CRITICAL

ERPNext: Unauthorised Document modification due to missing validation_CVE-2026-44442

May 13, 2026 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

AI Analysis

Unauthorised modification of documents due to missing validation in ERPNext

Basic Information

ID CVE-2026-44442

Source GitHub_M

Published May 13, 2026 at 21:11

Affected Product

Vendor frappe

Product erpnext

Version < 16.9.1

Affected Versions frappe erpnext < 16.9.1

CWE Classification

CWE-862

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor Frappe

Product ERPNext

Version < 16.9.1

References

github.com /frappe/erpnext/security/advisories/GHSA-cg5w-7g26-p3w9

{
    "lastseen": "",
    "description": "ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.",
    "published": "2026-05-13T21:11:14.186Z",
    "modified": "2026-05-13T21:11:14.186Z",
    "type": "cve",
    "title": "ERPNext: Unauthorised Document modification due to missing validation",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/erpnext/security/advisories/GHSA-cg5w-7g26-p3w9",
    "id": "CVE-2026-44442",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "frappe erpnext < 16.9.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "erpnext",
    "version": "< 16.9.1",
    "vendor": "frappe",
    "ai_description": "Unauthorised modification of documents due to missing validation in ERPNext",
    "ai_severity": "Critical",
    "ai_vendor": "Frappe",
    "ai_product": "ERPNext",
    "ai_version": "< 16.9.1",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply