CVE-2026-44442
ERPNext · ERPNext
ERPNext contains a missing authorization check in certain endpoints, allowing authenticated users to modify data beyond their assigned permissions.
Executive summary
A critical authorization flaw in ERPNext allows authenticated users to perform unauthorized data modifications, threatening the integrity of business-critical information.
Vulnerability
The application fails to enforce proper authorization checks on specific endpoints (CWE-862), allowing authenticated users to manipulate data outside their authorized role. This indicates a failure in access control logic within the application's backend.
Business impact
With a CVSS score of 9.9, this vulnerability presents a critical risk to business data integrity. An attacker could modify financial records, supply chain data, or user roles, leading to severe reputational damage and operational disruption.
Remediation
Immediate Action: Upgrade all ERPNext instances to version 16.9.1 or higher immediately.
Proactive Monitoring: Audit database logs for unusual record modifications or unauthorized changes made by low-privileged user accounts.
Compensating Controls: Apply strict Role-Based Access Control (RBAC) and review audit trails for any sensitive configuration changes.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
The severity of this flaw necessitates an immediate upgrade to version 16.9.1. Organizations should also conduct a post-remediation audit of their ERPNext environment to ensure no unauthorized data modifications occurred prior to the patch.