CVE-2026-44442

ERPNext · ERPNext

ERPNext contains a missing authorization check in certain endpoints, allowing authenticated users to modify data beyond their assigned permissions.

Executive summary

A critical authorization flaw in ERPNext allows authenticated users to perform unauthorized data modifications, threatening the integrity of business-critical information.

Vulnerability

The application fails to enforce proper authorization checks on specific endpoints (CWE-862), allowing authenticated users to manipulate data outside their authorized role. This indicates a failure in access control logic within the application's backend.

Business impact

With a CVSS score of 9.9, this vulnerability presents a critical risk to business data integrity. An attacker could modify financial records, supply chain data, or user roles, leading to severe reputational damage and operational disruption.

Remediation

Immediate Action: Upgrade all ERPNext instances to version 16.9.1 or higher immediately.

Proactive Monitoring: Audit database logs for unusual record modifications or unauthorized changes made by low-privileged user accounts.

Compensating Controls: Apply strict Role-Based Access Control (RBAC) and review audit trails for any sensitive configuration changes.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

The severity of this flaw necessitates an immediate upgrade to version 16.9.1. Organizations should also conduct a post-remediation audit of their ERPNext environment to ensure no unauthorized data modifications occurred prior to the patch.