CVE-2026-44441 Overview
CVE-2026-44441 is a Server-Side Request Forgery (SSRF) vulnerability affecting ERPNext, a free and open source Enterprise Resource Planning (ERP) tool maintained by Frappe. The flaw exists in versions prior to 15.106.0 and 16.16.0. An authenticated user can send a crafted request to a vulnerable endpoint, causing the ERPNext server to issue an HTTP request to an attacker-chosen destination. The issue is tracked as [CWE-918] and has been addressed in releases 15.106.0 and 16.16.0.
Critical Impact
An authenticated attacker can coerce the ERPNext server into making outbound HTTP calls to arbitrary services, enabling reconnaissance of internal networks and interaction with non-public services.
Affected Products
- ERPNext versions prior to 15.106.0
- ERPNext versions prior to 16.16.0 (16.x branch)
- Self-hosted and cloud deployments of Frappe ERPNext on these versions
Discovery Timeline
- 2026-05-13 - CVE-2026-44441 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44441
Vulnerability Analysis
The vulnerability is a Server-Side Request Forgery (SSRF) flaw, categorized under [CWE-918]. ERPNext exposes an endpoint that accepts a user-controlled URL or hostname and triggers a server-side HTTP call to that destination. Insufficient validation of the destination allows an authenticated, low-privileged user to direct the server to arbitrary internal or external services.
The attack is performed remotely over the network and requires only low privileges. No user interaction is needed. The scope is changed because the vulnerable ERPNext process can reach resources beyond its own security boundary, including internal-only services that would otherwise be unreachable from the public internet.
The confidentiality impact is limited to information returned through the forged HTTP request. Integrity and availability of ERPNext itself are not directly affected by the SSRF primitive described in the advisory.
Root Cause
The root cause is missing or insufficient validation of a user-supplied URL parameter before the ERPNext backend issues an outbound HTTP request. The endpoint trusts the user-provided target without restricting it to an allowlist of destinations or blocking internal IP ranges, link-local addresses, and metadata endpoints.
Attack Vector
An authenticated user sends a crafted HTTP request to the vulnerable ERPNext endpoint with a target URL of their choice. The ERPNext server then performs an HTTP call to that target from its own network context. Attackers commonly use this primitive to probe internal services, query cloud metadata endpoints, or interact with services that trust requests originating from the application server. See the GitHub Security Advisory GHSA-m4m4-j2m2-7fcw for advisory details.
Detection Methods for CVE-2026-44441
Indicators of Compromise
- Outbound HTTP or HTTPS connections initiated by the ERPNext application process to internal IP ranges such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
- Requests from the ERPNext server to cloud metadata endpoints such as 169.254.169.254.
- Unexpected outbound connections from the ERPNext host to attacker-controlled domains shortly after authenticated API activity.
Detection Strategies
- Inspect ERPNext and reverse proxy access logs for authenticated requests containing user-supplied URL parameters that point to internal hosts or unusual external domains.
- Correlate inbound API calls from low-privileged user sessions with subsequent outbound HTTP traffic from the ERPNext worker processes.
- Run versioned software inventory checks to flag ERPNext deployments below 15.106.0 or 16.16.0.
Monitoring Recommendations
- Monitor egress traffic from ERPNext application servers and alert on connections to RFC1918 ranges, link-local addresses, and cloud metadata IPs.
- Enable verbose request logging on the ERPNext endpoint and forward logs to a centralized analytics platform for review.
- Track authentication events for accounts that generate anomalous volumes of outbound HTTP calls through the application.
How to Mitigate CVE-2026-44441
Immediate Actions Required
- Upgrade ERPNext to version 15.106.0 or 16.16.0 or later, depending on your release branch.
- Audit user accounts and revoke unnecessary access to API endpoints that accept URL parameters.
- Review egress logs from ERPNext hosts for the last several weeks to identify suspicious outbound HTTP traffic.
Patch Information
The vulnerability is fixed in ERPNext 15.106.0 and 16.16.0. Apply the upstream patch by upgrading through your normal Frappe Bench or container deployment process. Patch details are published in the GitHub Security Advisory GHSA-m4m4-j2m2-7fcw.
Workarounds
- Restrict egress traffic from ERPNext application servers using host or network firewall rules that block internal ranges and cloud metadata endpoints.
- Place ERPNext behind an outbound HTTP proxy with an allowlist of approved destinations.
- Limit the user roles authorized to call endpoints that accept URL parameters until the upgrade is applied.
# Example egress restriction using iptables to block access to cloud metadata
iptables -A OUTPUT -m owner --uid-owner frappe -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner frappe -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner frappe -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner frappe -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
