CVE-2026-27471
Unauthorized Access via Missing Validation in ERP Endpoints
Publication date: 2026-02-21
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | erpnext | to 15.98.1 (exc) |
| frappe | erpnext | From 16.0.0 (exc) to 16.6.1 (exc) |
| frappe | erpnext | 16.0.0 |
| frappe | erpnext | 16.0.0 |
| frappe | erpnext | 16.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27471 is a critical security vulnerability in the ERPNext Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 through 16.6.0, certain API endpoints lacked proper access validation. This flaw allowed unauthorized users to access sensitive documents without permission.'}, {'type': 'paragraph', 'content': "The vulnerability was fixed by adding explicit permission checks in the code, ensuring that users must have the appropriate 'create' and 'read' permissions to interact with payment requests and related documents. Additionally, guest access to certain functions was removed to restrict actions to authenticated users only."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive documents within the ERPNext system. Attackers or unauthorized users could view or interact with documents they should not have access to, potentially exposing confidential business information.
Such unauthorized access could result in data breaches, financial loss, or manipulation of payment requests, which could severely impact business operations and trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The only effective mitigation for this vulnerability is to upgrade ERPNext to the fixed versions 15.98.1 or 16.6.1.
There are no available workarounds to mitigate this issue without upgrading.