{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27471", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T17:25:31.101Z", "datePublished": "2026-02-21T06:38:11.220Z", "dateUpdated": "2026-02-24T18:53:57.291Z"}, "containers": {"cna": {"title": "ERP: Document access through endpoints due to missing validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/frappe/erpnext/security/advisories/GHSA-wpfx-jw7g-7f83", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/erpnext/security/advisories/GHSA-wpfx-jw7g-7f83"}, {"name": "https://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7"}], "affected": [{"vendor": "frappe", "product": "erpnext", "versions": [{"version": ">= 16.0.0-rc.1, < 16.6.1", "status": "affected"}, {"version": "< 15.98.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T06:38:11.220Z"}, "descriptions": [{"lang": "en", "value": "ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1."}], "source": {"advisory": "GHSA-wpfx-jw7g-7f83", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:53:41.450256Z", "id": "CVE-2026-27471", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:53:57.291Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27471", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T18:53:41.450256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:53:50.392Z"}}], "cna": {"title": "ERP: Document access through endpoints due to missing validation", "source": {"advisory": "GHSA-wpfx-jw7g-7f83", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "erpnext", "versions": [{"status": "affected", "version": ">= 16.0.0-rc.1, < 16.6.1"}, {"status": "affected", "version": "< 15.98.1"}]}], "references": [{"url": "https://github.com/frappe/erpnext/security/advisories/GHSA-wpfx-jw7g-7f83", "name": "https://github.com/frappe/erpnext/security/advisories/GHSA-wpfx-jw7g-7f83", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7", "name": "https://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T06:38:11.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27471", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:53:57.291Z", "dateReserved": "2026-02-19T17:25:31.101Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T06:38:11.220Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "matchCriteriaId": "99EC5DF8-E503-44E3-AFA0-01913369E5A2", "versionEndExcluding": "15.98.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*", "matchCriteriaId": "54586AAF-3E56-40F6-A451-BCA6612337EA", "versionEndExcluding": "16.6.1", "versionStartExcluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:erpnext:16.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "A4A2EFB2-1819-4F8B-86C7-020B2FB75C01", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:erpnext:16.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8F985625-91A3-4CA3-A962-48CF64D3F49E", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:erpnext:16.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "665B5B9E-4A38-4716-B71C-2CD10E293226", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1."}, {"lang": "es", "value": "ERP es una herramienta de Planificaci\u00f3n de Recursos Empresariales de c\u00f3digo abierto y gratuita. En las versiones hasta la 15.98.0 y la 16.0.0-rc.1, y hasta la 16.6.0, ciertos endpoints carec\u00edan de validaci\u00f3n de acceso, lo que permit\u00eda el acceso no autorizado a documentos. Este problema ha sido solucionado en las versiones 15.98.1 y 16.6.1."}], "id": "CVE-2026-27471", "lastModified": "2026-02-24T14:52:50.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-21T07:16:13.580", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/erpnext/security/advisories/GHSA-wpfx-jw7g-7f83"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0-rc.1,16.6.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.98.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "erpnext", "source": "cna", "vendor": "frappe"}, "product": "erpnext", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-18T11:20:35.032804+00:00", "value": {"mitigation_remediation": ["Upgrade ERP Next to version 15.98.1 or 16.6.1 or later, which contains the access-validation fix.", "If an immediate upgrade is not possible, strongly restrict access to document\u2011retrieval routes using network controls or application\u2011level ACLs so that only authorized users can reach those endpoints.", "Enable auditing and monitoring on document access logs to detect unauthorized attempts and respond promptly."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Document Access"}, "threat_synthesis": {"affected_systems": "The issue affects the frappe:erpnext product. Vulnerable installations include all releases up to and including 15.98.0, 16.0.0\u2011rc.1, and 16.6.0. Fixes are available in 15.98.1, 16.6.1, and later versions.", "description_and_impact": "The vulnerability arises because several document\u2011retrieval endpoints in ERP Next fail to perform proper access validation. An attacker can request any document identifier and receive the associated file, enabling the disclosure of confidential business data. The weakness is rooted in missing authentication and authorization checks, as described by the CWE identifiers for improper authorization and lack of authentication, which allows an unauthenticated user to read protected resources.", "risk_and_exploitability": "The CVSS score of 9.3 denotes a critical severity, but the EPSS score of less than 1% suggests that exploitation is currently rare and may require deliberate targeting. The vulnerability is not listed in CISA\u2019s KEV catalog, so no known public exploits have been reported. An attacker can exploit the flaw remotely by sending HTTP requests to the affected endpoints without any authentication, provided the target uses a vulnerable version. The high severity combined with low exploitation probability points to a moderate overall risk that still demands remediation."}}}}, "created": "2026-02-23T14:32:29.986558+00:00", "updated": "2026-04-18T11:30:44.311310+00:00", "vendors": ["frappe", "frappe$PRODUCT$erpnext"]}