← Back
2026-05-27 17:18CVE-2026-45081GitHub_M
PUBLISHED5.2CWE-863

Frappe HR: Permission Bypass in HRMS Leave Details API

Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.

Problem type

Affected products

frappe

hrms

< 16.5.0 - AFFECTED

References

https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj

https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj

x_refsource_CONFIRM

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-45081
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-45081",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-27T18:26:47.576Z",
    "dateReserved": "2026-05-08T18:45:10.097Z",
    "datePublished": "2026-05-27T17:18:53.600Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-27T17:18:53.600Z"
      },
      "title": "Frappe HR: Permission Bypass in HRMS Leave Details API",
      "descriptions": [
        {
          "lang": "en",
          "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0."
        }
      ],
      "affected": [
        {
          "vendor": "frappe",
          "product": "hrms",
          "versions": [
            {
              "version": "< 16.5.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-863: Incorrect Authorization",
              "cweId": "CWE-863",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj",
          "name": "https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM"
          }
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-05-27T18:26:47.576Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}