CVE-2026-40888 MEDIUM

CVE-2026-40888: Frappe HR vulnerable to Improper Access Control

Vendor Frappe

Product hrms

Weakness CWE-284

Published April 21, 2026

Last update April 21, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Key dates

02Disclosure timeline

April 21, 2026 CVE published

April 21, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40888 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

Identifiers

CVE CVE-2026-40888

CWE CWE-284

CVSS 6.5 / MEDIUM

Affected versions

Vendor Frappe

Product hrms

Affected < 15.58.1

Vendor Frappe

Product hrms

Affected < 16.4.1

CVE-2026-40888: Frappe HR vulnerable to Improper Access Control

01Description

02Disclosure timeline

03References

04Related CVE