CVE-2026-40889
Received Received - Intake

Unauthorized File Access via API in Frappe HR Prior to

Vulnerability report for CVE-2026-40889, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-07-06
AI Q&A
2026-04-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
frappe frappe_hr to 15.58.2 (exc)
frappe frappe_hr From 16.0.0 (inc) to 16.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40889 is a moderate severity vulnerability in the Frappe HR open-source human resources management solution. It affects versions prior to 15.58.2 and 16.4.2. The issue is an improper access control weakness that allows authenticated users to access unauthorized files by exploiting certain API endpoints.

This vulnerability has a network attack vector, requires low privileges, and no user interaction. The impact is a high confidentiality loss, while integrity and availability are not affected.

Impact Analysis

This vulnerability can lead to unauthorized access to confidential files within the Frappe HR system by authenticated users. As a result, sensitive information could be exposed, leading to a significant confidentiality breach.

However, the vulnerability does not affect the integrity or availability of the system, meaning data cannot be altered or deleted through this exploit, nor can the system be made unavailable.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the frappe HRMS software to the patched versions 15.58.2 or 16.4.2.

Compliance Impact

CVE-2026-40889 allows authenticated users to access unauthorized files due to improper access control, resulting in a high confidentiality loss. Such unauthorized data exposure can potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

However, the provided information does not explicitly mention the impact on compliance with specific standards or regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart