Cyber Resilience

CVE-2026-27471

Critical

Published: 21 February 2026

Published
21 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 24.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27471 is a critical-severity Improper Access Control (CWE-284) vulnerability in Frappe Erpnext. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-27471 is a critical vulnerability in ERPNext, a free and open-source Enterprise Resource Planning tool, affecting versions up to 15.98.0, 16.0.0-rc.1, and through 16.6.0. The issue stems from certain endpoints lacking proper access validation, enabling unauthorized document access. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-284 (Improper Access Control), CWE-306 (Missing Authentication for Critical Function), and CWE-862 (Missing Authorization).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By targeting the affected endpoints, unauthenticated adversaries can gain unauthorized access to documents, resulting in high impacts to confidentiality and integrity, such as exposing sensitive business data or potentially modifying documents.

The vulnerability has been addressed in ERPNext versions 15.98.1 and 16.6.1. Official mitigation details are available in the GitHub security advisory (GHSA-wpfx-jw7g-7f83) and the fixing commit (78fc9424d9085c2eafe1211931e22d7044f85fc7), which recommend upgrading to patched releases.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1…

more

and 16.6.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

The public-facing ERPNext application with missing authentication/authorization directly enables exploitation via T1190. The resulting unauthorized document access facilitates data collection from an information repository (T1213).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44442Same product: Frappe Erpnext
CVE-2026-44446Same product: Frappe Erpnext
CVE-2023-54345Same product: Frappe Erpnext
CVE-2025-66434Same product: Frappe Erpnext
CVE-2026-44447Same product: Frappe Erpnext
CVE-2026-32954Same product: Frappe Erpnext
CVE-2025-66437Same product: Frappe Erpnext
CVE-2025-67289Same product: Frappe Erpnext
CVE-2025-65267Same product: Frappe Erpnext
CVE-2026-31017Same product: Frappe Erpnext

Affected Assets

frappe
erpnext
16.0.0 · ≤ 15.98.1 · 16.0.0 — 16.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved authorizations for logical access to information and resources like documents via endpoints, directly mitigating the lack of access validation in ERPNext.

prevent

Requires determination and enforcement of access control decisions prior to granting access, addressing the missing authorization checks on vulnerable endpoints.

prevent

Explicitly authorizes and documents actions permitted without identification or authentication, preventing unauthorized document access on endpoints lacking validation.

References