{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-21T19:32:52.106Z", "dateUpdated": "2026-04-22T13:30:10.795Z"}, "containers": {"cna": {"title": "Frappe HR has Improper Access Control on Files", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm"}, {"name": "https://github.com/frappe/hrms/releases/tag/v15.58.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v15.58.2"}, {"name": "https://github.com/frappe/hrms/releases/tag/v16.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v16.4.2"}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"version": "< 16.4.2", "status": "affected"}, {"version": "< 15.58.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:32:52.106Z"}, "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-6cg5-4q6m-vrgm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:29:58.366920Z", "id": "CVE-2026-40889", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:30:10.795Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-21T19:32:52.106Z", "dateUpdated": "2026-04-22T13:30:10.795Z"}, "containers": {"cna": {"title": "Frappe HR has Improper Access Control on Files", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm"}, {"name": "https://github.com/frappe/hrms/releases/tag/v15.58.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v15.58.2"}, {"name": "https://github.com/frappe/hrms/releases/tag/v16.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v16.4.2"}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"version": "< 16.4.2", "status": "affected"}, {"version": "< 15.58.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:32:52.106Z"}, "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-6cg5-4q6m-vrgm", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40889", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:29:58.366920Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:30:06.999Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D6D7E58-ED65-4DD1-B73B-35A959BC2163", "versionEndExcluding": "15.58.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:*", "matchCriteriaId": "7070442C-3FBA-4796-A5FB-5D195083537E", "versionEndExcluding": "16.4.2", "versionStartIncluding": "16.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available."}], "id": "CVE-2026-40889", "lastModified": "2026-04-27T19:39:11.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:02.680", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/frappe/hrms/releases/tag/v15.58.2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/frappe/hrms/releases/tag/v16.4.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/hrms/security/advisories/GHSA-6cg5-4q6m-vrgm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.4.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.58.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "hrms", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-22T05:28:11.061135+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to Frappe HR\u202f15.58.2 or later 16.4.2.", "If an upgrade cannot be performed immediately, block or restrict the vulnerable API endpoint so that only users with explicitly allowed roles can access it.", "Inspect system logs for unexpected file download attempts and enforce the principle of least privilege in file\u2011access permissions."], "summary": {"action": "Patch", "impact": "Unauthorized File Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the open\u2011source HRMS known as Frappe HR (frappe:hrms). All releases before 15.58.2 and 16.4.2 suffer from this flaw; the advisory documents the patch in those two releases.", "description_and_impact": "Frappe HR allowed authenticated users to read files they should not have access to by calling a specific API endpoint. This improper access control flaw, identified as CWE\u2011284, can expose confidential documents or data stored in the system, thereby compromising confidentiality. The vulnerability requires that the attacker be logged into the system but does not require any additional privileges beyond normal user credentials.", "risk_and_exploitability": "The CVSS score of 6.5 rates the issue as moderate, with an EPSS score unavailable and no listing in the CISA KEV catalog. Because the attack exploits an existing authenticated session, a user who can log in\u2014possibly an employee or an compromised account\u2014can download any accessible file through the vulnerable endpoint. No active exploit has been reported, but the path is straightforward once a user is authenticated."}}}}, "created": "2026-04-22T05:30:09.559570+00:00", "updated": "2026-04-22T11:45:31.118942+00:00", "vendors": ["frappe", "frappe$PRODUCT$hrms"]}