Primary

Context

ERPNext Access Validation Vulnerability in Payment Request Endpoint Allowing Unauthorized Document Access

Vulnerability

Patched

A vulnerability in ERPNext, an open-source Enterprise Resource Planning tool, has been identified in versions prior to 15.98.1 and in the 16.0.0-rc.1 release, as well as in versions through 16.6.0. Certain endpoints in these versions lacked proper access validation, which resulted in unauthorized access to documents. This issue has been addressed in ERPNext versions 15.98.1 and 16.6.1.

Impact

Exploitation of this vulnerability allowed for unauthorized access to documents through specific endpoints, due to the absence of proper access validation.

Remediation

Users are advised to upgrade to ERPNext version 15.98.1 or 16.6.1.

Added: Feb 21, 2026, 7:18 AM

Updated: Feb 21, 2026, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

8.1

remediation

7.7

relevance

3.3

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

8.1

remediation

7.7

relevance

3.3

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext Access Validation Vulnerability in Payment Request Endpoint Allowing Unauthorized Document Access

Vulnerability

Impact

Remediation

Affected Products

Frappe ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating