Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27471

CVE-2026-27471: Frappe ERPNext Auth Bypass Vulnerability

CVE-2026-27471 is an authentication bypass flaw in Frappe ERPNext that allows unauthorized access to documents due to missing access validation. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-27471 Overview

CVE-2026-27471 is a critical Broken Access Control vulnerability discovered in Frappe ERPNext, a popular free and open source Enterprise Resource Planning (ERP) tool. The vulnerability exists in versions up to 15.98.0, as well as 16.0.0-rc.1 through 16.6.0, where certain endpoints lack proper access validation, allowing unauthorized users to access sensitive documents without appropriate permissions.

This authorization bypass flaw enables attackers to retrieve confidential business documents through the network without authentication, potentially exposing sensitive financial records, customer data, and internal business information stored within the ERP system.

Critical Impact

Unauthenticated remote attackers can access confidential ERP documents including payment requests, financial records, and business-critical data without any credentials or user interaction required.

Affected Products

  • Frappe ERPNext versions up to 15.98.0
  • Frappe ERPNext 16.0.0-rc.1 and 16.0.0-rc.2
  • Frappe ERPNext versions 16.0.0 through 16.6.0

Discovery Timeline

  • 2026-02-21 - CVE-2026-27471 published to NVD
  • 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2026-27471

Vulnerability Analysis

This vulnerability is classified as CWE-284 (Improper Access Control) and stems from missing permission checks on critical API endpoints within the ERPNext application. The affected endpoints allow document operations such as creating payment requests and reading associated documents without verifying whether the requesting user has appropriate authorization.

The vulnerability is exploitable remotely over the network with low attack complexity and requires no privileges or user interaction. A successful exploit grants attackers high-impact access to both confidential data (confidentiality breach) and the ability to modify records (integrity breach), though system availability is not directly impacted.

Organizations running vulnerable versions of ERPNext are at significant risk, as ERP systems typically contain highly sensitive business data including financial transactions, customer information, supplier details, and internal operational records.

Root Cause

The root cause of this vulnerability is the absence of permission validation in the make_payment_request function within the payment request document type handler. The code failed to verify that the calling user had the necessary create permission for Payment Request documents and read permission for the referenced source document before processing the request.

Without these authorization checks, any user—including unauthenticated attackers—could invoke the payment request creation endpoint and access documents they should not have permission to view or manipulate.

Attack Vector

The attack vector is network-based, targeting the ERPNext web application endpoints. An attacker can craft malicious HTTP requests to vulnerable API endpoints, bypassing access controls to:

  1. Create payment requests for arbitrary documents
  2. Read confidential document data from referenced records
  3. Access financial and business information without proper authorization

The following code shows the security patch that addresses this vulnerability by adding proper permission checks:

python
 	if args.dn and not isinstance(args.dn, str):
 		frappe.throw(_("Invalid parameter. 'dn' should be of type str"))
 
+	frappe.has_permission("Payment Request", "create", throw=True)
+	frappe.has_permission(args.dt, "read", args.dn, throw=True)
+
 	ref_doc = args.ref_doc or frappe.get_doc(args.dt, args.dn)
 	if not args.get("company"):
 		args.company = ref_doc.company

Source: GitHub Commit Details

The patch adds two critical permission checks using Frappe's has_permission() method: one to verify the user can create Payment Request documents, and another to verify read access to the source document type and name before proceeding with the operation.

Detection Methods for CVE-2026-27471

Indicators of Compromise

  • Unusual API requests to /api/method/erpnext.accounts.doctype.payment_request.payment_request.make_payment_request from unauthenticated or low-privilege sessions
  • High volume of document access requests originating from single IP addresses or unauthorized user accounts
  • Access logs showing successful retrieval of sensitive documents by users without corresponding role permissions
  • Anomalous patterns in payment request creation activity

Detection Strategies

  • Implement web application firewall (WAF) rules to monitor and alert on access to payment request endpoints from unauthorized sources
  • Enable detailed audit logging for all document access operations within ERPNext
  • Deploy application security monitoring to detect authorization bypass attempts and unusual API access patterns
  • Review access logs for evidence of bulk document enumeration or unauthorized data retrieval

Monitoring Recommendations

  • Monitor ERPNext application logs for failed and successful document access attempts
  • Set up alerts for payment request creation from unauthenticated sessions
  • Implement anomaly detection for document access patterns that deviate from normal user behavior
  • Configure real-time alerting for high-frequency API requests to sensitive endpoints

How to Mitigate CVE-2026-27471

Immediate Actions Required

  • Upgrade Frappe ERPNext to version 15.98.1 or 16.6.1 immediately
  • Review access logs to identify any potential exploitation prior to patching
  • Audit user permissions and ensure principle of least privilege is enforced
  • Implement network segmentation to limit exposure of ERP systems to untrusted networks

Patch Information

Frappe has released security patches that address this vulnerability by adding proper permission validation to the affected endpoints. The fix is available in ERPNext versions 15.98.1 and 16.6.1. Organizations should apply these updates as soon as possible.

For detailed information about the fix, refer to the GitHub Security Advisory GHSA-wpfx-jw7g-7f83 and the commit implementing the security patch.

Workarounds

  • Restrict network access to ERPNext instances using firewall rules to allow only trusted IP ranges
  • Place ERPNext behind an authenticated reverse proxy requiring authentication before reaching the application
  • Implement additional WAF rules to block unauthenticated requests to sensitive API endpoints
  • Temporarily disable or restrict access to payment request functionality until patches can be applied
bash
# Example: Restrict access to ERPNext at the web server level (nginx)
location /api/method/erpnext.accounts.doctype.payment_request {
    # Allow only authenticated internal networks
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    # Require authentication header
    if ($http_authorization = "") {
        return 403;
    }
    
    proxy_pass http://erpnext_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne