What is the CVSS score of CVE-2026-27471?

CVE-2026-27471 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Erpnext are affected by CVE-2026-27471?

A critical vulnerability in ERP versions up to 16.6.0 allows unauthorized users to access sensitive business documents without proper authentication, potentially exposing confidential financial, HR,…. A patch is available.

How to fix or mitigate CVE-2026-27471?

Within 24 hours: Identify all systems running ERP versions 15.98.0, 16.0.0-rc.1 through 16.6.0 and isolate from production if possible; notify your legal and compliance teams. Within 7 days: Apply the available vendor patch to all affected instances and verify patch deployment. Within 30 days: Conduct access logs review for unauthorized document access during the vulnerability window and document findings for incident response procedures.

Erpnext CVE-2026-27471

CRITICAL

Improper Access Control (CWE-284)

2026-02-21 security-advisories@github.com

Authentication Bypass Erpnext

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

Patch released

Feb 24, 2026 - 14:52 nvd

Patch available

CVE Published

Feb 21, 2026 - 07:16 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.

AnalysisAI

Missing authorization in ERPNext ERP before 15.98.0/16.6.0. Patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access vulnerable ERP endpoint

Exploit

Bypass missing access validation

Execution

Retrieve unauthorized documents

Impact

Exfiltrate sensitive data

Access

Access vulnerable ERP endpoint

Exploit

Bypass missing access validation

Execution

Retrieve unauthorized documents

Impact

Exfiltrate sensitive data

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against default ERP installations versions 15.98.0, 16.0.0-rc.1 through 16.6.0 with unpatched endpoints lacking access validation. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Access ERP endpoints without authorization.
Remediation	Update ERPNext. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running ERP versions 15.98.0, 16.0.0-rc.1 through 16.6.0 and isolate from production if possible; notify your legal and compliance teams. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27471 vulnerability details – vuln.today

Back

Erpnext CVE-2026-27471

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code