Frappe HR: Permission Bypass in HRMS Leave Details API

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.

Basic Information

ID CVE-2026-45081

Source GitHub_M

Published May 27, 2026 at 17:18

Modified May 27, 2026 at 18:26

Affected Product

Vendor frappe

Product hrms

Version < 16.5.0

Affected Versions frappe hrms < 16.5.0

CWE Classification

CWE-863

References

github.com /frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj

{
    "lastseen": "",
    "description": "Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees\u2019 leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.",
    "published": "2026-05-27T17:18:53.600Z",
    "modified": "2026-05-27T18:26:47.576Z",
    "type": "cve",
    "title": "Frappe HR: Permission Bypass in HRMS Leave Details API",
    "source": "GitHub_M",
    "references": "https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj",
    "id": "CVE-2026-45081",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "frappe hrms < 16.5.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hrms",
    "version": "< 16.5.0",
    "vendor": "frappe",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Frappe HR: Permission Bypass in HRMS Leave Details API_CVE-2026-45081