CVE-2026-45081
Authentication Bypass in Frappe HR Prior to 16.5.0
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | hr | to 16.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Frappe HR, an open-source human resources management solution. Before version 16.5.0, authenticated employees could improperly access other employees' leave details because the system did not perform proper authorization checks.
How can this vulnerability impact me? :
The vulnerability allows authenticated employees to view sensitive leave information of other employees without proper authorization. This can lead to privacy breaches and unauthorized disclosure of personal employee data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Frappe HR to version 16.5.0 or later, where the improper authorization checks have been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated employees to access other employees' leave details due to improper authorization checks, leading to a high risk to data confidentiality.
Such unauthorized access to personal employee data could potentially violate data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Therefore, until the vulnerability is patched by updating to version 16.5.0, organizations using affected versions may face compliance risks related to confidentiality and privacy requirements.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper authorization checks in the HRMS Leave Details API, allowing authenticated employees to access other employees' leave details.
Detection would involve verifying whether the HRMS software version in use is prior to v16.5.0, as the vulnerability is fixed starting from that version.
Since the vulnerability is in an API endpoint accessed by authenticated users, detection could include monitoring API calls for unauthorized access patterns or testing the API with authenticated employee credentials to see if leave details of other employees can be retrieved.
No specific commands or automated detection scripts are provided in the available resources.