PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45081 frappe CVE debrief

CVE-2026-45081 is a medium-severity improper authorization vulnerability in Frappe HR, an open-source human resources management solution. The flaw, present in versions prior to 16.5.0, allows authenticated employees to access other employees' leave details due to missing authorization checks. The vulnerability was disclosed on May 27, 2026, and has been assigned a CVSS 3.1 score of 6.5 (MEDIUM). The issue is classified under CWE-863 (Incorrect Authorization). Frappe HR version 16.5.0 contains the fix for this vulnerability. Organizations using affected versions should prioritize upgrading to 16.5.0 or later to prevent unauthorized access to sensitive employee leave information.

Vendor
frappe
Product
hrms
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations using Frappe HR versions prior to 16.5.0 for human resources management, particularly those handling sensitive employee leave and attendance data in multi-employee environments where data segregation between employees is required.

Technical summary

The vulnerability exists in Frappe HR's leave management functionality where authorization checks were insufficient to prevent authenticated employees from viewing other employees' leave details. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates a network-accessible vulnerability with low attack complexity, requiring low-privileged authenticated access, resulting in high confidentiality impact with no integrity or availability impact. The root cause is categorized as CWE-863 (Incorrect Authorization).

Defensive priority

medium

Recommended defensive actions

  • Upgrade Frappe HR to version 16.5.0 or later to remediate the improper authorization vulnerability
  • Review access logs for unauthorized leave detail access by authenticated users prior to patching
  • Verify that employee role-based access controls are properly enforced after upgrading
  • Monitor for any anomalous access patterns to leave management functionality

Evidence notes

Vulnerability confirmed through official GitHub Security Advisory (GHSA-9jpf-5vrm-hpcj) and NVD entry. CVSS vector confirms network attack vector with low attack complexity, requiring authenticated access but no user interaction.

Official resources

2026-05-27