VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 27, 2026

CVE-2026-45081

CVE-2026-45081

Description

Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated employees can access other employees' leave details due to missing authorization checks in Frappe HRMS prior to 16.5.0.

Vulnerability

An improper authorization vulnerability exists in Frappe HRMS (open-source HR solution) prior to version 16.5.0. The leave details API endpoint fails to verify that the requesting employee has permission to view the specified employee's leave records. This allows any authenticated employee to access leave details of other employees without proper authorization.

Exploitation

An attacker must be an authenticated employee of the organization using Frappe HRMS. No special privileges or administrative access is required. The attacker can directly call the leave details API endpoint with a different employee's identifier to retrieve their leave information. No user interaction from the victim is needed.

Impact

Successful exploitation results in unauthorized disclosure of other employees' leave details, including leave types, dates, and statuses. This violates confidentiality of personal data and can be used for social engineering or internal reconnaissance. The attack does not allow modification or deletion of data, nor does it affect availability.

Mitigation

The vulnerability is fixed in Frappe HRMS version 16.5.0, released on March 13, 2026, according to the advisory [1]. All users should upgrade to 16.5.0 or later. No workarounds are available. The vulnerability is not listed in CISA KEV.

References
  1. Permission Bypass in HRMS Leave Details API

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Hrmsinferred2 versions
    <16.5.0+ 1 more
    • (no CPE)range: <16.5.0
    • (no CPE)range: <16.5.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.