Skip to main content

Frappe HR EUVDEUVD-2026-32608

| CVE-2026-45081 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-27 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:06 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.

AnalysisAI

Improper authorization in Frappe HR (HRMS) prior to version 16.5.0 allows any authenticated employee to read the leave records of other employees without permission. The root cause is CWE-863 (Incorrect Authorization) - the application authenticates the user but fails to enforce that the requesting employee is authorized to view the target employee's data. With a CVSS score of 6.5 (Medium) and a High confidentiality impact, this is a horizontal privilege escalation issue; no public exploit has been identified at time of analysis and it does not appear in the CISA KEV catalog.

Technical ContextAI

Frappe HR is an open-source Human Resources Management System built on the Frappe framework, reported via GitHub Security Advisories (GHSA-9jpf-5vrm-hpcj). The vulnerability is classified as CWE-863 (Incorrect Authorization), meaning the application correctly identifies who the user is (authentication is intact) but fails to enforce what data that user is permitted to access (authorization is broken). Specifically, the leave management module does not validate that the requesting employee's identity matches or has managerial rights over the target employee whose leave data is being fetched. This class of flaw typically manifests in API endpoints or server-side document fetches that omit a permission filter, allowing any authenticated session to enumerate or retrieve records belonging to arbitrary employees. Affected versions are all hrms releases prior to 16.5.0.

RemediationAI

Upgrade Frappe HR to version 16.5.0 or later, which is confirmed to contain the vendor-released patch per the GitHub Security Advisory at https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj. If an immediate upgrade is not feasible, a compensating control is to restrict network access to the HRMS application to only authorized HR personnel and managers, effectively limiting the pool of authenticated users who could exploit the flaw - this trades off employee self-service functionality against exposure. Alternatively, organizations may disable employee-facing leave inquiry endpoints at the web server or application firewall layer until patching is complete, though this will disrupt legitimate leave-status viewing workflows. There are no known side effects to the 16.5.0 upgrade beyond the authorization fix itself.

Share

EUVD-2026-32608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy