Platform
erpnext
Component
erpnext
Fixed in
16.0.1
15.98.2
CVE-2026-27471 describes an unauthorized document access vulnerability affecting ERPNext versions up to 16.0.0-rc.1 and those less than 16.6.1. This flaw allows attackers to bypass access validation and retrieve documents they shouldn't be able to see, potentially exposing sensitive business data. The vulnerability has been resolved in ERPNext versions 15.98.1 and 16.6.1.
The primary impact of CVE-2026-27471 is the potential for unauthorized data disclosure. Attackers can exploit this vulnerability to access documents containing confidential information, such as financial records, customer data, and internal communications. Successful exploitation could lead to data breaches, reputational damage, and regulatory fines. The scope of the impact depends on the sensitivity of the documents accessible through the vulnerable endpoints and the attacker's ability to leverage the stolen data for further malicious activities. This vulnerability highlights the importance of robust access control mechanisms within ERP systems.
CVE-2026-27471 was publicly disclosed on 2026-02-21. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept exploits are not currently available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27471 is to upgrade ERPNext to version 16.6.1 or 15.98.1. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to the vulnerable endpoints through a web application firewall (WAF) or proxy server. Carefully review and tighten access control lists (ACLs) to ensure that only authorized users can access sensitive documents. Monitor ERPNext logs for any suspicious activity related to document access. After upgrading, confirm the fix by attempting to access documents without proper authorization and verifying that access is denied.
Update erpnext to version 15.98.1 or 16.6.1, or higher, to correct the unauthorized document access vulnerability. This will resolve the missing access validation on certain endpoints.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27471 is a vulnerability in ERPNext versions ≤ 16.0.0-rc.1 and < 16.6.1 that allows attackers to bypass access controls and retrieve unauthorized documents.
You are affected if you are running ERPNext versions 16.0.0-rc.1 or earlier, or versions between 16.0.0-rc.1 and 16.6.1 (exclusive of 16.6.1).
Upgrade ERPNext to version 16.6.1 or 15.98.1. As a temporary workaround, restrict access to vulnerable endpoints with a WAF or proxy.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the official ERPNext security advisories on their website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.