ERPNext: Unauthorised Document modification due to missing validation_CVE-2026-44448

5.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Description

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.

Basic Information

ID CVE-2026-44448

Source GitHub_M

Published May 13, 2026 at 21:20

Affected Product

Vendor frappe

Product erpnext

Version >= 16.0.0-beta.1, < 16.11.0

Affected Versions frappe erpnext >= 16.0.0-beta.1, < 16.11.0
frappe erpnext < 15.102.0

CWE Classification

CWE-862

References

github.com /frappe/erpnext/security/advisories/GHSA-444j-g95x-5pqv

{
    "lastseen": "",
    "description": "ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0.",
    "published": "2026-05-13T21:20:20.570Z",
    "modified": "2026-05-13T21:20:20.570Z",
    "type": "cve",
    "title": "ERPNext: Unauthorised Document modification due to missing validation",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/erpnext/security/advisories/GHSA-444j-g95x-5pqv",
    "id": "CVE-2026-44448",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "frappe erpnext >= 16.0.0-beta.1, < 16.11.0\nfrappe erpnext < 15.102.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "erpnext",
    "version": ">= 16.0.0-beta.1, < 16.11.0",
    "vendor": "frappe",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}