{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.765Z", "datePublished": "2026-04-21T19:28:28.849Z", "dateUpdated": "2026-04-21T19:43:37.506Z"}, "containers": {"cna": {"title": "Frappe HR vulnerable to Improper Access Control", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}], "references": [{"name": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx"}, {"name": "https://github.com/frappe/hrms/releases/tag/v15.58.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v15.58.1"}, {"name": "https://github.com/frappe/hrms/releases/tag/v16.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/hrms/releases/tag/v16.4.1"}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"version": "< 15.58.1", "status": "affected"}, {"version": "< 16.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:28:28.849Z"}, "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-4375-7rxj-9hfx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:43:31.343136Z", "id": "CVE-2026-40888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:43:37.506Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:43:31.343136Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:43:33.793Z"}}], "cna": {"title": "Frappe HR vulnerable to Improper Access Control", "source": {"advisory": "GHSA-4375-7rxj-9hfx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "hrms", "versions": [{"status": "affected", "version": "< 15.58.1"}, {"status": "affected", "version": "< 16.4.1"}]}], "references": [{"url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx", "name": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/hrms/releases/tag/v15.58.1", "name": "https://github.com/frappe/hrms/releases/tag/v15.58.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/frappe/hrms/releases/tag/v16.4.1", "name": "https://github.com/frappe/hrms/releases/tag/v16.4.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:28:28.849Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40888", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:43:37.506Z", "dateReserved": "2026-04-15T16:37:22.765Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:28:28.849Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available."}], "id": "CVE-2026-40888", "lastModified": "2026-04-21T20:17:02.537", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:02.537", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/frappe/hrms/releases/tag/v15.58.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/frappe/hrms/releases/tag/v16.4.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:44:20.355490+00:00", "value": {"mitigation_remediation": ["Upgrade Frappe HR to at least version 15.58.1 or 16.4.1 where the patch has been applied.", "If an upgrade is not immediately feasible, restrict the default role\u2019s permissions or remove access to the vulnerable endpoint until patching can occur.", "Monitor API access logs for unexpected usage patterns to detect potential exploitation while the vulnerability remains unpatched."], "summary": {"action": "Apply Patch", "impact": "Unauthorized information disclosure via improper access control"}, "threat_synthesis": {"affected_systems": "Versions of Frappe HR released before 15.58.1 and 16.4.1 are affected. The vulnerability is present in the frappe:hrms product for all older releases; applying the patch found in those releases resolves the issue.", "description_and_impact": "Frappe HR allows an authenticated user with a default role to call a specific API endpoint that returns information they are not permitted to see. The flaw is an example of CWE\u2011284 \u2013 improper access control. This results in confidential HR data being disclosed to users who should not have access, potentially exposing personal employee information.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate impact. The exploit requires an authenticated account but no special privileges beyond the default role, making it likely that a legitimate user could locate the vulnerable endpoint. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the lack of a public exploit does not reduce the risk of data exfiltration in a production environment."}}}}, "created": "2026-04-22T06:45:10.880250+00:00", "updated": "2026-04-22T06:45:10.880266+00:00", "vendors": []}