CVE-2026-27471
Received Received - Intake
Unauthorized Access via Missing Validation in ERP Endpoints

Publication date: 2026-02-21

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27471
EUVD
EUVD-2026-7727
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
frappe erpnext to 15.98.1 (exc)
frappe erpnext From 16.0.0 (exc) to 16.6.1 (exc)
frappe erpnext 16.0.0
frappe erpnext 16.0.0
frappe erpnext 16.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27471 is a critical security vulnerability in the ERPNext Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 through 16.6.0, certain API endpoints lacked proper access validation. This flaw allowed unauthorized users to access sensitive documents without permission.'}, {'type': 'paragraph', 'content': "The vulnerability was fixed by adding explicit permission checks in the code, ensuring that users must have the appropriate 'create' and 'read' permissions to interact with payment requests and related documents. Additionally, guest access to certain functions was removed to restrict actions to authenticated users only."}] [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive documents within the ERPNext system. Attackers or unauthorized users could view or interact with documents they should not have access to, potentially exposing confidential business information.

Such unauthorized access could result in data breaches, financial loss, or manipulation of payment requests, which could severely impact business operations and trust.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The only effective mitigation for this vulnerability is to upgrade ERPNext to the fixed versions 15.98.1 or 16.6.1.

There are no available workarounds to mitigate this issue without upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart