CVE-2026-40888
Unauthorized Information Disclosure via API in Frappe HR
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | frappe_hr | to 15.58.1 (exc) |
| frappe | frappe_hr | From 16.0.0 (inc) to 16.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available information to identify exploitation of CVE-2026-40888 on your network or system.
The vulnerability involves unauthorized access to information via certain API endpoints by an authenticated user with default role. Detection would likely require monitoring API access patterns or reviewing logs for unusual access to employee details or expense claim actions.
Since no explicit detection commands or tools are mentioned, the recommended action is to ensure your frappe HRMS installation is updated to versions 15.58.1 or 16.4.1 where the vulnerability is patched.
Can you explain this vulnerability to me?
CVE-2026-40888 is a security vulnerability in the Frappe HR human resources management system. It allows an authenticated user with a default role to access unauthorized information by exploiting certain API endpoints. This improper access control issue means users can see data they should not have permission to view.
The vulnerability affects versions prior to 15.58.1 and 16.4.1, which contain patches that restrict the information accessible through the API, limiting it to only essential employee details like Employee Name, Company, and Department.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive employee information, resulting in a high confidentiality impact. An attacker with basic authenticated access could view private data that should be restricted.
Additionally, the vulnerability could cause improper payment processing, such as accidental payments for rejected expense claims, due to UI elements like the 'Create Payment' button being accessible when they should not be.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Frappe HRMS installation to version 15.58.1 or 16.4.1, as these versions contain patches that fix the issue.
- Remove or disable the 'Create Payment' button when an Expense Claim is rejected to prevent accidental payment processing.
- Ensure the system uses the secure client API to load employee details in Roster shift assignments, restricting visible information to only Employee Name, Company, and Department.
No known workarounds are available, so upgrading to the fixed versions is the only effective remediation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with a default role to access unauthorized information through certain API endpoints, leading to a high confidentiality loss.
This unauthorized data exposure could potentially violate data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
The patched versions (15.58.1 and 16.4.1) mitigate this risk by restricting visible employee information to only Employee Name, Company, and Department, thereby enhancing data privacy and reducing the risk of non-compliance.