CVE-2026-32954 Overview
CVE-2026-32954 is a blind SQL injection vulnerability in Frappe ERPNext, a free and open source Enterprise Resource Planning (ERP) tool. The flaw affects ERPNext versions prior to 15.100.0 and 16.8.0. Certain endpoints insufficiently validate user-supplied parameters, allowing both time-based and boolean-based blind SQL injection [CWE-89]. Unauthenticated attackers can infer database contents over the network without user interaction. The maintainers released fixed versions 15.100.0 and 16.8.0 to address the issue.
Critical Impact
Remote attackers can extract sensitive ERP data, including financial records, customer information, and credentials, by issuing crafted requests to vulnerable endpoints.
Affected Products
- Frappe ERPNext versions prior to 15.100.0 (15.x branch)
- Frappe ERPNext versions prior to 16.8.0 (16.x branch)
- Self-hosted and cloud-deployed ERPNext instances exposing affected endpoints
Discovery Timeline
- 2026-03-20 - CVE-2026-32954 published to the National Vulnerability Database
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32954
Vulnerability Analysis
The vulnerability stems from insufficient parameter validation in specific ERPNext HTTP endpoints. User-supplied input flows into SQL queries without proper sanitization or parameterized binding. Attackers exploit this through two blind SQL injection techniques: time-based and boolean-based inference.
In a time-based attack, the attacker injects payloads that force the database to delay responses when a condition is true. Response latency reveals whether the underlying SQL predicate evaluated to true or false. In a boolean-based attack, the injected payload alters application behavior depending on the truth value of the predicate, allowing bit-by-bit extraction of database contents.
Because ERPNext stores financial transactions, customer records, employee data, and authentication material, successful exploitation exposes high-value confidential data. The CVSS vector indicates impact is limited to confidentiality, with no direct integrity or availability degradation.
Root Cause
The root cause is unsafe construction of SQL statements using untrusted input. Affected endpoints concatenate request parameters into queries rather than using parameterized prepared statements or applying type-strict validation. This is a classic instance of CWE-89, Improper Neutralization of Special Elements used in an SQL Command.
Attack Vector
The vulnerability is exploitable remotely over the network with no authentication and no user interaction. An attacker sends crafted HTTP requests containing SQL syntax in vulnerable parameters. Repeated requests automate the inference of table names, column names, and row values from the backing MariaDB or MySQL database.
No verified public exploit code is available at this time. See the GitHub Security Advisory GHSA-j669-ghv2-gmqg for vendor-provided technical context.
Detection Methods for CVE-2026-32954
Indicators of Compromise
- HTTP requests to ERPNext endpoints containing SQL keywords such as SLEEP(, BENCHMARK(, UNION SELECT, AND 1=1, or OR 1=2 in query parameters or POST bodies.
- Repeated requests from a single source with incrementally varying parameter values, characteristic of automated blind injection tooling.
- Web server access logs showing abnormally long response times correlated with specific parameter patterns.
Detection Strategies
- Deploy web application firewall (WAF) rules that flag SQL meta-characters and time-delay functions in requests to ERPNext URIs.
- Enable MariaDB or MySQL general query logging and alert on queries containing SLEEP, BENCHMARK, or unusual UNION constructs originating from the ERPNext application user.
- Correlate HTTP request duration outliers with the source IP and target endpoint to surface time-based injection attempts.
Monitoring Recommendations
- Monitor outbound data volume from the ERPNext database host for sustained low-and-slow exfiltration patterns.
- Track authentication failures and unusual access to /api/method/ and /api/resource/ routes from unauthenticated sources.
- Review database error logs for syntax errors that indicate probing activity against injection-vulnerable parameters.
How to Mitigate CVE-2026-32954
Immediate Actions Required
- Upgrade ERPNext to version 15.100.0 or 16.8.0 or later without delay.
- Restrict network exposure of ERPNext instances to trusted networks or place them behind an authenticated reverse proxy.
- Audit database logs and HTTP access logs since the deployment date for indicators of prior injection attempts.
Patch Information
The Frappe team fixed CVE-2026-32954 in ERPNext v15.100.0 and ERPNext v16.8.0. The patches add proper parameter validation on the affected endpoints. Refer to the GitHub Security Advisory GHSA-j669-ghv2-gmqg for the full advisory.
Workarounds
- Deploy WAF signatures that block SQL injection payloads targeting ERPNext API endpoints until upgrade is complete.
- Limit database user privileges for the ERPNext service account to the minimum required, reducing the scope of inferable data.
- Disable or restrict access to any non-essential ERPNext API endpoints exposed to untrusted networks.
# Upgrade ERPNext using bench (15.x branch)
bench switch-to-branch version-15 erpnext --upgrade
bench update --reset
bench --site all migrate
# Or for 16.x branch
bench switch-to-branch version-16 erpnext --upgrade
bench update --reset
bench --site all migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
