CVE-2026-45081 MEDIUM

CVE-2026-45081: Frappe HR: Permission Bypass in HRMS Leave Details API

Vendor Frappe
Product hrms
Weakness CWE-863 · Incorrect authorization
Published May 27, 2026
Last update May 27, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 27, 2026 Record updated