CVE-2026-45081 Overview
CVE-2026-45081 is an authorization flaw in Frappe HR, an open-source human resources management solution (HRMS) built on the Frappe framework. Versions prior to 16.5.0 fail to enforce proper authorization checks on leave records. Authenticated employees can retrieve other employees' leave details, including dates, types, and reasons for absence. The issue is tracked under CWE-863: Incorrect Authorization and is fixed in release 16.5.0.
Critical Impact
Any authenticated user with a valid Frappe HR employee account can read leave details belonging to other employees, exposing sensitive personal and medical-related information across the organization.
Affected Products
- Frappe HR (HRMS) versions prior to 16.5.0
- Self-hosted Frappe HR deployments
- Frappe Cloud tenants running unpatched HRMS instances
Discovery Timeline
- 2026-05-27 - CVE-2026-45081 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45081
Vulnerability Analysis
Frappe HR exposes leave management endpoints that should restrict record visibility to the requesting employee, their reporting manager, and HR roles. Prior to 16.5.0, server-side permission checks on leave-related Doctypes were incomplete. Authenticated employees could query leave records belonging to colleagues by referencing identifiers or filters that the authorization layer failed to validate.
The disclosed data may include leave start and end dates, leave type, and reasons for absence. Leave reasons frequently contain medical or family information, increasing the sensitivity of the exposure. The flaw breaks confidentiality without affecting integrity or availability.
Root Cause
The root cause is improper authorization on leave Doctype access ([CWE-863]). The application relied on role assignment without verifying that the requesting user owned or had a delegated relationship to the queried leave record. Permission query conditions did not constrain results to the calling employee's scope, allowing record retrieval across employee boundaries.
Attack Vector
Exploitation requires only valid Frappe HR credentials with the standard Employee role. An attacker authenticates to the HRMS web interface or REST API, then issues requests against leave endpoints while substituting the target employee's identifier or removing scoping filters. The server returns leave records that should be restricted. No user interaction from the victim is required, and the attack is fully remote over the network. Technical details are documented in the Frappe HR GitHub Security Advisory GHSA-9jpf-5vrm-hpcj.
Detection Methods for CVE-2026-45081
Indicators of Compromise
- Unusual volume of GET or frappe.client.get_list requests against Leave Application, Leave Allocation, or Leave Ledger Entry Doctypes from a single employee session.
- API calls from non-HR, non-manager accounts returning leave records for multiple employee identifiers.
- Sequential enumeration patterns over employee IDs in HRMS access logs.
Detection Strategies
- Audit Frappe HR application logs for leave Doctype reads where the user field does not match the employee field or an authorized manager mapping.
- Compare requesting user roles against accessed records to flag Employee-role accounts reading leave data outside their own scope.
- Baseline normal leave query volume per user and alert on deviations consistent with bulk enumeration.
Monitoring Recommendations
- Forward Frappe and web server access logs to a centralized analytics platform for retention and correlation.
- Enable Frappe's activity log and version tracking on leave Doctypes to record read access where supported.
- Monitor authentication events for credential stuffing or brute-force attempts that could provide the foothold required to exploit this issue.
How to Mitigate CVE-2026-45081
Immediate Actions Required
- Upgrade Frappe HR to version 16.5.0 or later on all production and staging instances.
- Review HRMS access logs for the past several months to identify potential unauthorized leave record access.
- Rotate API keys and session tokens for any accounts suspected of misuse during the exposure window.
Patch Information
The vendor fixed CVE-2026-45081 in Frappe HR 16.5.0 by adding proper authorization checks on leave record access. Administrators should follow standard Frappe upgrade procedures using bench update or container image redeployment. Refer to the Frappe HR GitHub Security Advisory GHSA-9jpf-5vrm-hpcj for the authoritative remediation guidance.
Workarounds
- If immediate upgrade is not possible, restrict HRMS access to a trusted internal network or VPN to reduce the authenticated user population.
- Tighten role assignments so that only HR personnel hold roles with broad leave visibility, and audit existing Employee accounts for elevated permissions.
- Apply custom permission query conditions on leave Doctypes to scope results to frappe.session.user until the patched release is deployed.
# Configuration example: upgrade Frappe HR via bench
bench get-app --branch version-16 hrms
bench --site your-site.local install-app hrms
bench --site your-site.local migrate
bench version | grep hrms # confirm hrms >= 16.5.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
