CVE-2026-45081
Deferred Deferred - Pending Action
Authentication Bypass in Frappe HR Prior to 16.5.0

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45081
EUVD
EUVD-2026-32608
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe hr to 16.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Frappe HR, an open-source human resources management solution. Before version 16.5.0, authenticated employees could improperly access other employees' leave details because the system did not perform proper authorization checks.

Impact Analysis

The vulnerability allows authenticated employees to view sensitive leave information of other employees without proper authorization. This can lead to privacy breaches and unauthorized disclosure of personal employee data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Frappe HR to version 16.5.0 or later, where the improper authorization checks have been fixed.

Compliance Impact

This vulnerability allows authenticated employees to access other employees' leave details due to improper authorization checks, leading to a high risk to data confidentiality.

Such unauthorized access to personal employee data could potentially violate data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, until the vulnerability is patched by updating to version 16.5.0, organizations using affected versions may face compliance risks related to confidentiality and privacy requirements.

Detection Guidance

This vulnerability involves improper authorization checks in the HRMS Leave Details API, allowing authenticated employees to access other employees' leave details.

Detection would involve verifying whether the HRMS software version in use is prior to v16.5.0, as the vulnerability is fixed starting from that version.

Since the vulnerability is in an API endpoint accessed by authenticated users, detection could include monitoring API calls for unauthorized access patterns or testing the API with authenticated employee credentials to see if leave details of other employees can be retrieved.

No specific commands or automated detection scripts are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart