Primary

Context

Frappe HR Improper Authorization Vulnerability Allowing Unauthorized Access to Leave Details

Vulnerability

Patched

A permission bypass vulnerability has been identified in Frappe HR versions prior to 16.5.0, allowing authenticated employees to access the leave details of other employees. This issue arises from inadequate authorization checks in the leave details API. The vulnerability has been addressed in version 16.5.0 by implementing proper employee-level access validation in the affected API endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive leave information of employees.

Remediation

Users are advised to update to Frappe HR version 16.5.0 or later, where this vulnerability has been fixed.

Added: May 28, 2026, 4:00 AM

Updated: May 28, 2026, 4:00 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe HR Improper Authorization Vulnerability Allowing Unauthorized Access to Leave Details

Vulnerability

Impact

Remediation

Affected Products

Frappe HR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating