{"id":"CVE-2026-40888","summary":"Frappe HR vulnerable to Improper Access Control","details":"Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.","aliases":["GHSA-4375-7rxj-9hfx"],"modified":"2026-07-08T08:13:12.901787166Z","published":"2026-04-21T19:28:28.849Z","database_specific":{"cwe_ids":["CWE-284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40888.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/frappe/hrms/releases/tag/v15.58.1"},{"type":"WEB","url":"https://github.com/frappe/hrms/releases/tag/v16.4.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40888.json"},{"type":"ADVISORY","url":"https://github.com/frappe/hrms/security/advisories/GHSA-4375-7rxj-9hfx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40888"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/frappe/hrms","events":[{"introduced":"0"},{"fixed":"459f0062f38b48069dbddf091a15ca3a44e3298a"},{"introduced":"19a835b7ca10132365a8707931d65381aa68a846"},{"fixed":"aa42d57833bc6eecf7c8c61633122edf410cea3d"}],"database_specific":{"cpe":"cpe:2.3:a:frappe:frappe_hr:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"15.58.1"},{"introduced":"16.0.0"},{"fixed":"16.4.1"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v16.4.0","v15.58.0","v15.57.1","v16.3.1","v16.3.0","v15.57.0","v16.2.0","v15.56.0","v15.55.0","v16.1.0","v16.0.2","v16.0.1","v16.0.0","v15.54.3","v15.54.2","v15.54.1","v15.54.0","v15.53.0","v15.52.5","v15.52.4","v15.52.3","v15.52.2","v15.52.1","v15.52.0","v15.51.0","v15.50.3","v15.50.2","v15.50.1","v15.50.0","v15.49.2","v15.49.1","v15.49.0","v15.48.1","v15.48.0","v15.47.8","v15.47.7","v15.47.6","v15.47.5","v15.47.4","v15.47.3","v15.47.2","v15.47.1","v15.47.0","v15.46.1","v15.46.0","v15.45.3","v15.45.2","v15.45.1","v15.45.0","v15.44.2","v15.44.1","v15.44.0","v15.43.1","v15.43.0","v15.42.3","v15.42.2","v15.42.1","v15.42.0","v15.41.0","v15.40.0","v15.39.2","v15.39.1","v15.39.0","v15.38.3","v15.38.2","v15.38.1","v15.38.0","v15.37.2","v15.37.1","v15.37.0","v15.36.1","v15.36.0","v15.35.3","v15.35.2","v15.35.1","v15.35.0","v15.34.0","v15.33.2","v15.33.1","v15.33.0","v15.32.2","v15.32.1","v15.32.0","v15.31.0","v15.30.0","v15.29.0","v15.28.3","v15.28.2","v15.28.1","v15.28.0","v15.27.2","v15.27.1","v15.27.0","v15.26.0","v15.25.2","v15.25.1","v15.25.0","v15.24.0","v15.23.1","v15.23.0","v15.22.3","v15.22.2","v15.22.1","v15.22.0","v15.21.2","v15.21.1","v15.21.0","v15.20.3","v15.20.2","v15.20.1","v15.20.0","v15.19.0","v15.18.0","v15.17.0","v15.16.0","v15.15.0","v15.14.2","v15.14.1","v15.14.0","v15.13.1","v15.13.0","v15.12.0","v15.11.1","v15.11.0","v15.10.0","v15.9.2","v15.9.1","v15.9.0","v15.8.0","v15.7.1","v15.7.0","v15.6.0","v15.5.0","v15.4.1","v15.4.0","v15.3.0","v15.2.0","v15.1.0","v15.0.0","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40888.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}