Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
ERP Enterprise Resource Planning lacks access controls for some endpoints
CVE-2026-27471
Summary
Versions of the free ERP software up to 15.98.0 and 16.0.0-rc.1 through 16.6.0 have a security weakness that allows unauthorized users to view sensitive documents. This issue has been fixed in later versions. Update to the latest version to ensure access controls are in place.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| frappe | erpnext | <= 15.98.1 | – |
| frappe | erpnext | > 16.0.0 , <= 16.6.1 | – |
| frappe | erpnext | 16.0.0 | – |
| frappe | erpnext | 16.0.0 | – |
| frappe | erpnext | 16.0.0 | – |
Original title
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthori...
Original description
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.
nvd CVSS3.1
9.1
nvd CVSS4.0
9.3
Vulnerability type
CWE-284
Improper Access Control
CWE-306
Missing Authentication for Critical Function
CWE-862
Missing Authorization
Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026