Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.
AnalysisAI
Improper authorization in Frappe HR (HRMS) prior to version 16.5.0 allows any authenticated employee to read the leave records of other employees without permission. The root cause is CWE-863 (Incorrect Authorization) - the application authenticates the user but fails to enforce that the requesting employee is authorized to view the target employee's data. With a CVSS score of 6.5 (Medium) and a High confidentiality impact, this is a horizontal privilege escalation issue; no public exploit has been identified at time of analysis and it does not appear in the CISA KEV catalog.
Technical ContextAI
Frappe HR is an open-source Human Resources Management System built on the Frappe framework, reported via GitHub Security Advisories (GHSA-9jpf-5vrm-hpcj). The vulnerability is classified as CWE-863 (Incorrect Authorization), meaning the application correctly identifies who the user is (authentication is intact) but fails to enforce what data that user is permitted to access (authorization is broken). Specifically, the leave management module does not validate that the requesting employee's identity matches or has managerial rights over the target employee whose leave data is being fetched. This class of flaw typically manifests in API endpoints or server-side document fetches that omit a permission filter, allowing any authenticated session to enumerate or retrieve records belonging to arbitrary employees. Affected versions are all hrms releases prior to 16.5.0.
RemediationAI
Upgrade Frappe HR to version 16.5.0 or later, which is confirmed to contain the vendor-released patch per the GitHub Security Advisory at https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj. If an immediate upgrade is not feasible, a compensating control is to restrict network access to the HRMS application to only authorized HR personnel and managers, effectively limiting the pool of authenticated users who could exploit the flaw - this trades off employee self-service functionality against exposure. Alternatively, organizations may disable employee-facing leave inquiry endpoints at the web server or application firewall layer until patching is complete, though this will disrupt legitimate leave-status viewing workflows. There are no known side effects to the 16.5.0 upgrade beyond the authorization fix itself.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32608