CVE-2026-40888

Source
https://cve.org/CVERecord?id=CVE-2026-40888
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40888.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40888
Aliases
  • GHSA-4375-7rxj-9hfx
Published
2026-04-21T19:28:28.849Z
Modified
2026-07-08T08:13:12.901787166Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Frappe HR vulnerable to Improper Access Control
Details

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40888.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ]
}
References

Affected packages

Git / github.com/frappe/hrms

Affected ranges

Type
GIT
Repo
https://github.com/frappe/hrms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "15.58.1"
        },
        {
            "introduced": "16.0.0"
        },
        {
            "fixed": "16.4.1"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v15.*
v15.0.0
v15.1.0
v15.10.0
v15.11.0
v15.11.1
v15.12.0
v15.13.0
v15.13.1
v15.14.0
v15.14.1
v15.14.2
v15.15.0
v15.16.0
v15.17.0
v15.18.0
v15.19.0
v15.2.0
v15.20.0
v15.20.1
v15.20.2
v15.20.3
v15.21.0
v15.21.1
v15.21.2
v15.22.0
v15.22.1
v15.22.2
v15.22.3
v15.23.0
v15.23.1
v15.24.0
v15.25.0
v15.25.1
v15.25.2
v15.26.0
v15.27.0
v15.27.1
v15.27.2
v15.28.0
v15.28.1
v15.28.2
v15.28.3
v15.29.0
v15.3.0
v15.30.0
v15.31.0
v15.32.0
v15.32.1
v15.32.2
v15.33.0
v15.33.1
v15.33.2
v15.34.0
v15.35.0
v15.35.1
v15.35.2
v15.35.3
v15.36.0
v15.36.1
v15.37.0
v15.37.1
v15.37.2
v15.38.0
v15.38.1
v15.38.2
v15.38.3
v15.39.0
v15.39.1
v15.39.2
v15.4.0
v15.4.1
v15.40.0
v15.41.0
v15.42.0
v15.42.1
v15.42.2
v15.42.3
v15.43.0
v15.43.1
v15.44.0
v15.44.1
v15.44.2
v15.45.0
v15.45.1
v15.45.2
v15.45.3
v15.46.0
v15.46.1
v15.47.0
v15.47.1
v15.47.2
v15.47.3
v15.47.4
v15.47.5
v15.47.6
v15.47.7
v15.47.8
v15.48.0
v15.48.1
v15.49.0
v15.49.1
v15.49.2
v15.5.0
v15.50.0
v15.50.1
v15.50.2
v15.50.3
v15.51.0
v15.52.0
v15.52.1
v15.52.2
v15.52.3
v15.52.4
v15.52.5
v15.53.0
v15.54.0
v15.54.1
v15.54.2
v15.54.3
v15.55.0
v15.56.0
v15.57.0
v15.57.1
v15.58.0
v15.6.0
v15.7.0
v15.7.1
v15.8.0
v15.9.0
v15.9.1
v15.9.2
v16.*
v16.0.0
v16.0.1
v16.0.2
v16.1.0
v16.2.0
v16.3.0
v16.3.1
v16.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40888.json"