CVE-2026-40888 - Vulnerability Details - OpenCVE

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/frappe/hrms/releases/tag/v15.58.1
https://github.com/frappe/hrms/releases/tag/v16.4.1
https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx

History

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.
Title		Frappe HR vulnerable to Improper Access Control
Weaknesses		CWE-284
References		https://github.com/frappe/hrms/releases/tag/v15.58.1 https://github.com/frappe/hrms/releases/tag/v16.4.1 https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx
Metrics		cvssV3_0 `{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T19:28:28.849Z

Updated: 2026-04-21T19:43:37.506Z

Reserved: 2026-04-15T16:37:22.765Z

Link: CVE-2026-40888

Vulnrichment

Updated: 2026-04-21T19:43:33.793Z

NVD

Status : Received

Published: 2026-04-21T20:17:02.537

Modified: 2026-04-21T20:17:02.537

Link: CVE-2026-40888

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.765Z", "datePublished": "2026-04-21T19:28:28.849Z", "dateUpdated": "2026-04-21T19:43:37.506Z"}, "containers": {"cna": {"title": "Frappe HR vulnerable to Improper Access Control", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}], "references": [{"name": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx"}, {"name": "https://github.com/frappe/hrms/releases/tag/v15.58.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v15.58.1"}, {"name": "https://github.com/frappe/hrms/releases/tag/v16.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v16.4.1"}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"version": "< 15.58.1", "status": "affected"}, {"version": "< 16.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:28:28.849Z"}, "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-4375-7rxj-9hfx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:43:31.343136Z", "id": "CVE-2026-40888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:43:37.506Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:43:31.343136Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:43:33.793Z"}}], "cna": {"title": "Frappe HR vulnerable to Improper Access Control", "source": {"advisory": "GHSA-4375-7rxj-9hfx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"status": "affected", "version": "< 15.58.1"}, {"status": "affected", "version": "< 16.4.1"}]}], "references": [{"url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx", "name": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/hrms/releases/tag/v15.58.1", "name": "https://github.com/frappe/hrms/releases/tag/v15.58.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/frappe/hrms/releases/tag/v16.4.1", "name": "https://github.com/frappe/hrms/releases/tag/v16.4.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:28:28.849Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40888", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:43:37.506Z", "dateReserved": "2026-04-15T16:37:22.765Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:28:28.849Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}