CVE-2026-55242
frappe · erpnext
ERPNext is vulnerable to incorrect authorization and improper template engine neutralization, which can be exploited by an authenticated local user.
Executive summary
An authorization and template injection flaw in ERPNext allows authenticated local users to achieve escalated privileges and potential system-wide compromise.
Vulnerability
The vulnerability stems from incorrect authorization (CWE-863) and improper neutralization of special elements in a template engine (CWE-1336). It requires low-privileged authenticated access to the system to trigger the flaw.
Business impact
Although exploitation requires authenticated access, the ability to achieve total technical impact (as indicated by the CVSS score of 8.8) makes this a significant risk. An attacker could bypass existing authorization controls, manipulate business data, or execute arbitrary code in the context of the application, leading to severe operational and data integrity risks.
Remediation
Immediate Action: Update ERPNext to version 15.111.0 or 16.22.0, depending on the current deployment branch, to apply the necessary security patches.
Proactive Monitoring: Audit user activity logs, particularly those involving administrative or template-related functions, for signs of unauthorized access or escalation attempts.
Compensating Controls: Implement strict Role-Based Access Control (RBAC) and minimize the number of users with system-level permissions to reduce the potential impact of a compromised account.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
While this vulnerability requires local authentication, the potential for total technical impact is severe. Administrators must prioritize updating ERPNext to the latest secure versions to prevent privilege escalation and ensure the integrity of the enterprise resource planning environment.