CVE-2026-40889
Received Received - Intake
Unauthorized File Access via API in Frappe HR Prior to

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40889
EUVD
EUVD-2026-24278
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe frappe_hr to 15.58.2 (exc)
frappe frappe_hr From 16.0.0 (inc) to 16.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40889 is a moderate severity vulnerability in the Frappe HR open-source human resources management solution. It affects versions prior to 15.58.2 and 16.4.2. The issue is an improper access control weakness that allows authenticated users to access unauthorized files by exploiting certain API endpoints.

This vulnerability has a network attack vector, requires low privileges, and no user interaction. The impact is a high confidentiality loss, while integrity and availability are not affected.

Impact Analysis

This vulnerability can lead to unauthorized access to confidential files within the Frappe HR system by authenticated users. As a result, sensitive information could be exposed, leading to a significant confidentiality breach.

However, the vulnerability does not affect the integrity or availability of the system, meaning data cannot be altered or deleted through this exploit, nor can the system be made unavailable.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the frappe HRMS software to the patched versions 15.58.2 or 16.4.2.

Compliance Impact

CVE-2026-40889 allows authenticated users to access unauthorized files due to improper access control, resulting in a high confidentiality loss. Such unauthorized data exposure can potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

However, the provided information does not explicitly mention the impact on compliance with specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart