Primary

Context

ERPNext Authorization Bypass Vulnerability Allowing Unauthorized Data Modification

Vulnerability

Patched

A vulnerability in ERPNext versions prior to 16.9.1 allows users to modify data beyond their assigned roles due to inadequate authorization checks on certain endpoints. This issue has been addressed in version 16.9.1.

Impact

Exploitation of this vulnerability could lead to unauthorized data modifications, allowing users to change information they should not have access to.

Remediation

Users are advised to upgrade to ERPNext version 16.9.1 or later.

Added: May 13, 2026, 10:22 PM

Updated: May 13, 2026, 10:22 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

4.9

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

4.9

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext Authorization Bypass Vulnerability Allowing Unauthorized Data Modification

Vulnerability

Impact

Remediation

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating