CVE-2026-27471
Published: 21 February 2026
Summary
CVE-2026-27471 is a critical-severity Improper Access Control (CWE-284) vulnerability in Frappe Erpnext. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-24 (Access Control Decisions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations for logical access to information and resources like documents via endpoints, directly mitigating the lack of access validation in ERPNext.
Requires determination and enforcement of access control decisions prior to granting access, addressing the missing authorization checks on vulnerable endpoints.
Explicitly authorizes and documents actions permitted without identification or authentication, preventing unauthorized document access on endpoints lacking validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The public-facing ERPNext application with missing authentication/authorization directly enables exploitation via T1190. The resulting unauthorized document access facilitates data collection from an information repository (T1213).
NVD Description
ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1…
more
and 16.6.1.
Deeper analysisAI
CVE-2026-27471 is a critical vulnerability in ERPNext, a free and open-source Enterprise Resource Planning tool, affecting versions up to 15.98.0, 16.0.0-rc.1, and through 16.6.0. The issue stems from certain endpoints lacking proper access validation, enabling unauthorized document access. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-284 (Improper Access Control), CWE-306 (Missing Authentication for Critical Function), and CWE-862 (Missing Authorization).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By targeting the affected endpoints, unauthenticated adversaries can gain unauthorized access to documents, resulting in high impacts to confidentiality and integrity, such as exposing sensitive business data or potentially modifying documents.
The vulnerability has been addressed in ERPNext versions 15.98.1 and 16.6.1. Official mitigation details are available in the GitHub security advisory (GHSA-wpfx-jw7g-7f83) and the fixing commit (78fc9424d9085c2eafe1211931e22d7044f85fc7), which recommend upgrading to patched releases.
Details
- CWE(s)