CVE-2026-44442

Source
https://cve.org/CVERecord?id=CVE-2026-44442
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44442.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44442
Aliases
  • GHSA-cg5w-7g26-p3w9
Published
2026-05-13T21:11:14.186Z
Modified
2026-07-08T08:13:29.875311856Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
ERPNext: Unauthorised Document modification due to missing validation
Details

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44442.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/frappe/erpnext

Affected ranges

Type
GIT
Repo
https://github.com/frappe/erpnext
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:frappe:erpnext:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "16.9.1"
        }
    ]
}

Affected versions

4.*
4.0.0
4.0.0-beta1
v10.*
v10.0.0
v10.0.1
v10.0.2
v11.*
v11.0.0-beta
v12.*
v12.0.0
v12.0.1
v12.0.2
v12.0.3
v12.0.4
v12.0.5
v12.0.6
v12.0.7
v12.0.8
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.1.4
v12.1.5
v12.1.6
v14.*
v14.0.0-beta.2
v16.*
v16.0.0
v16.0.0-beta.1
v16.0.1
v16.1.0
v16.2.0
v16.3.0
v16.4.0
v16.4.1
v16.5.0
v16.6.0
v16.6.1
v16.7.0
v16.7.1
v16.7.2
v16.7.3
v16.8.0
v16.8.1
v16.8.2
v16.8.3
v16.9.0
v3.*
v3.1.0
v3.1.1
v3.1.2
Other
v4-beta2
v4.*
v4.0.1
v4.10.0
v4.11.0
v4.11.1
v4.11.2
v4.12.0
v4.13.0
v4.13.1
v4.14.0
v4.15.0
v4.15.1
v4.15.2
v4.15.3
v4.15.4
v4.16.0
v4.17.0
v4.18.0
v4.18.1
v4.19.0
v4.20.0
v4.20.1
v4.20.2
v4.21.0
v4.21.1
v4.21.2
v4.21.3
v4.21.4
v4.22.0
v4.22.1
v4.22.2
v4.23.0
v4.24.0
v4.24.1
v4.24.2
v4.24.3
v4.24.4
v4.25.0
v4.25.1
v4.25.2
v4.25.3
v4.25.4
v4.25.5
v4.25.6
v4.25.7
v4.3.0
v4.4.0
v4.4.1
v4.4.2
v4.5.0
v4.5.1
v4.5.2
v4.6.0
v4.6.1
v4.6.2
v4.7.0
v4.7.1
v4.7.2
v4.8.0
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.14
v5.0.15
v5.0.16
v5.0.17
v5.0.18
v5.0.19
v5.0.2
v5.0.20
v5.0.21
v5.0.22
v5.0.23
v5.0.24
v5.0.25
v5.0.26
v5.0.27
v5.0.28
v5.0.29
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.2.0
v5.2.1
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.8.0
v5.8.1
v5.8.2
v6.*
v6.0.0
v6.0.1
v6.1.0
v6.1.1
v6.10.0
v6.10.1
v6.10.2
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.12.0
v6.12.1
v6.12.10
v6.12.11
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13.0
v6.13.1
v6.14.0
v6.14.1
v6.15.0
v6.15.1
v6.16.0
v6.16.1
v6.16.2
v6.16.3
v6.16.4
v6.17.0
v6.18.0
v6.18.1
v6.18.2
v6.18.3
v6.18.4
v6.19.0
v6.2.0
v6.2.1
v6.20.0
v6.21.0
v6.21.1
v6.21.2
v6.21.3
v6.21.4
v6.21.5
v6.21.6
v6.22.0
v6.22.1
v6.23.0
v6.23.1
v6.23.2
v6.23.3
v6.23.4
v6.23.5
v6.23.6
v6.23.7
v6.24.0
v6.24.1
v6.24.2
v6.24.3
v6.24.4
v6.24.5
v6.25.0
v6.25.1
v6.25.2
v6.25.3
v6.25.4
v6.25.5
v6.26.0
v6.27.0
v6.27.1
v6.27.10
v6.27.11
v6.27.12
v6.27.13
v6.27.14
v6.27.15
v6.27.16
v6.27.17
v6.27.18
v6.27.19
v6.27.2
v6.27.20
v6.27.21
v6.27.22
v6.27.23
v6.27.24
v6.27.25
v6.27.26
v6.27.3
v6.27.4
v6.27.5
v6.27.6
v6.27.7
v6.27.8
v6.27.9
v6.3.0
v6.3.1
v6.3.2
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.5.0
v6.5.1
v6.5.2
v6.5.3
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.8.0
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.9.0
v6.9.1
v6.9.2
v7.*
v7.0.0
v7.0.1
v7.0.10
v7.0.11
v7.0.12
v7.0.13
v7.0.14
v7.0.15
v7.0.16
v7.0.17
v7.0.18
v7.0.19
v7.0.2
v7.0.20
v7.0.21
v7.0.22
v7.0.23
v7.0.24
v7.0.25
v7.0.26
v7.0.27
v7.0.28
v7.0.29
v7.0.3
v7.0.30
v7.0.31
v7.0.32
v7.0.33
v7.0.34
v7.0.35
v7.0.36
v7.0.37
v7.0.38
v7.0.39
v7.0.4
v7.0.40
v7.0.41
v7.0.42
v7.0.43
v7.0.44
v7.0.45
v7.0.46
v7.0.47
v7.0.48
v7.0.49
v7.0.5
v7.0.50
v7.0.51
v7.0.52
v7.0.53
v7.0.54
v7.0.55
v7.0.56
v7.0.57
v7.0.58
v7.0.59
v7.0.6
v7.0.60
v7.0.61
v7.0.62
v7.0.63
v7.0.7
v7.0.8
v7.0.9
v7.1.0
v7.1.1
v7.1.10
v7.1.11
v7.1.12
v7.1.13
v7.1.14
v7.1.15
v7.1.16
v7.1.17
v7.1.18
v7.1.19
v7.1.2
v7.1.20
v7.1.21
v7.1.22
v7.1.23
v7.1.24
v7.1.25
v7.1.26
v7.1.27
v7.1.28
v7.1.29
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7
v7.1.8
v7.1.9
v7.2.0
v7.2.1
v7.2.10
v7.2.11
v7.2.12
v7.2.13
v7.2.14
v7.2.15
v7.2.16
v7.2.17
v7.2.18
v7.2.19
v7.2.2
v7.2.20
v7.2.21
v7.2.22
v7.2.23
v7.2.24
v7.2.25
v7.2.26
v7.2.27
v7.2.28
v7.2.29
v7.2.3
v7.2.30
v7.2.31
v7.2.32
v7.2.4
v7.2.5
v7.2.6
v7.2.7
v7.2.8
v7.2.9
v8.*
v8.0.0
v8.0.1
v8.0.10
v8.0.11
v8.0.12
v8.0.13
v8.0.14
v8.0.15
v8.0.16
v8.0.17
v8.0.18
v8.0.19
v8.0.2
v8.0.20
v8.0.21
v8.0.22
v8.0.23
v8.0.24
v8.0.25
v8.0.26
v8.0.27
v8.0.28
v8.0.29
v8.0.3
v8.0.30
v8.0.31
v8.0.32
v8.0.33
v8.0.34
v8.0.35
v8.0.36
v8.0.37
v8.0.38
v8.0.39
v8.0.4
v8.0.40
v8.0.41
v8.0.42
v8.0.43
v8.0.44
v8.0.45
v8.0.46
v8.0.47
v8.0.48
v8.0.49
v8.0.5
v8.0.50
v8.0.51
v8.0.6
v8.0.7
v8.0.8
v8.0.9
v8.1.0
v8.1.1
v8.1.2
v8.1.3
v8.1.4
v8.1.5
v8.1.6
v8.1.7
v8.10.0
v8.10.1
v8.10.2
v8.11.0
v8.11.1
v8.11.2
v8.11.3
v8.11.4
v8.11.5
v8.11.6
v8.2.0
v8.2.1
v8.2.2
v8.2.3
v8.2.4
v8.2.5
v8.3.0
v8.3.1
v8.3.2
v8.3.3
v8.3.4
v8.3.5
v8.3.6
v8.4.0
v8.4.1
v8.4.2
v8.4.3
v8.5.0
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.6.0
v8.6.1
v8.6.2
v8.6.3
v8.6.4
v8.6.5
v8.6.6
v8.7.0
v8.7.1
v8.7.2
v8.7.3
v8.8.0
v8.8.1
v8.8.2
v8.8.3
v8.8.4
v8.8.5
v8.8.6
v8.9.0
v8.9.1
v8.9.2
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.0.7
v9.0.8
v9.0.9
v9.1.0
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.1.5
v9.1.6
v9.1.7
v9.1.8
v9.2.0
v9.2.1
v9.2.10
v9.2.11
v9.2.12
v9.2.13
v9.2.14
v9.2.15
v9.2.16
v9.2.17
v9.2.18
v9.2.19
v9.2.2
v9.2.20
v9.2.21
v9.2.22
v9.2.23
v9.2.24
v9.2.3
v9.2.4
v9.2.5
v9.2.6
v9.2.7
v9.2.8
v9.2.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44442.json"