Platform
erpnext
Component
erpnext
Opgelost in
16.0.1
15.98.2
CVE-2026-27471 describes an unauthorized document access vulnerability affecting ERPNext versions up to 16.0.0-rc.1 and those less than 16.6.1. This flaw allows attackers to bypass access validation and retrieve documents they shouldn't be able to see, potentially exposing sensitive business data. The vulnerability has been resolved in ERPNext versions 15.98.1 and 16.6.1.
The primary impact of CVE-2026-27471 is the potential for unauthorized data disclosure. Attackers can exploit this vulnerability to access documents containing confidential information, such as financial records, customer data, and internal communications. Successful exploitation could lead to data breaches, reputational damage, and regulatory fines. The scope of the impact depends on the sensitivity of the documents accessible through the vulnerable endpoints and the attacker's ability to leverage the stolen data for further malicious activities. This vulnerability highlights the importance of robust access control mechanisms within ERP systems.
CVE-2026-27471 was publicly disclosed on 2026-02-21. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept exploits are not currently available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed.
Organizations using ERPNext versions prior to 16.6.1, particularly those with sensitive data stored within the system, are at risk. Shared hosting environments where multiple ERPNext instances share resources could also be affected, as a compromise of one instance could potentially lead to access to data in other instances.
• linux / server:
journalctl -u erpnext -g 'access validation failed'• generic web:
curl -I https://your-erpnext-instance/api/method/your.vulnerable.endpointCheck the response headers for any unusual or unauthorized access indicators. • wordpress / composer / npm: N/A - This vulnerability is specific to the ERPNext application itself, not its dependencies. • database (mysql, redis, mongodb, postgresql): N/A - The vulnerability does not directly involve the database layer. • windows / supply-chain: N/A - ERPNext is primarily a Linux-based application.
disclosure
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-27471 is to upgrade ERPNext to version 16.6.1 or 15.98.1. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to the vulnerable endpoints through a web application firewall (WAF) or proxy server. Carefully review and tighten access control lists (ACLs) to ensure that only authorized users can access sensitive documents. Monitor ERPNext logs for any suspicious activity related to document access. After upgrading, confirm the fix by attempting to access documents without proper authorization and verifying that access is denied.
Actualiseer ERPNext naar versie 15.98.1 of 16.6.1, of hoger, om de ongeautoriseerde documenttoegangsvulnerabiliteit te verhelpen. Dit lost het ontbreken van toegangvalidatie op bepaalde endpoints op.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-27471 is a vulnerability in ERPNext versions ≤ 16.0.0-rc.1 and < 16.6.1 that allows attackers to bypass access controls and retrieve unauthorized documents.
You are affected if you are running ERPNext versions 16.0.0-rc.1 or earlier, or versions between 16.0.0-rc.1 and 16.6.1 (exclusive of 16.6.1).
Upgrade ERPNext to version 16.6.1 or 15.98.1. As a temporary workaround, restrict access to vulnerable endpoints with a WAF or proxy.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the official ERPNext security advisories on their website or GitHub repository for the latest information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.