What is CVE-2026-44448?

CVE-2026-44448 is a medium-severity vulnerability in Frappe Erpnext, classified under Missing Authorization. CVSS score: 5.9/10. Published 2026-05-13.

How severe is CVE-2026-44448?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Auth bypass in Frappe Erpnext

CVE-2026-44448

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerabil…

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N.

Affected products

Frappe Erpnext — versions >= 16.0.0-beta.1, < 16.11.0, < 15.102.0

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)

Frequently asked questions

What is CVE-2026-44448?: CVE-2026-44448 is a medium-severity vulnerability in Frappe Erpnext, classified under Missing Authorization. CVSS score: 5.9/10. Published 2026-05-13.
How severe is CVE-2026-44448?: Medium severity. CVSS v3 base score is 5.9 out of 10.