LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-44442

CVE-2026-44442 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: May 14, 2026

ERPNext - Broken Access Control

Published: May 13, 2026Updated: May 14, 2026Remote Exploitable

Overview

ERPNext < 16.9.1 contains a broken access control vulnerability caused by improper authorization checks on certain endpoints, letting users modify data beyond their permitted roles, exploit requires user authentication.

Severity & Score

Severity: Critical
CVSS Score: 9.9
EPSS Score: 3.9%(Probability of exploitation in next 30 days)

Impact

Users can modify data beyond their permissions, potentially leading to unauthorized data alteration and privilege escalation.

Mitigation

Upgrade to version 16.9.1 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
May 14, 2026

šŸ”“ CVE-2026-44442 - Critical (9.9) ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-44442/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
May 14, 2026

šŸšØ CRITICAL vuln: ERPNext <16.9.1 (CVE-2026-44442) lets users with limited rights modify data due to missing authorization. Update ASAP to 16.9.1+ to fix. No known exploits yet. Details: https://radar.offseq.com/threat/cve-2026-44442-cwe-862-missing-authorization-in-fr-ebe7ec52 #OffSeq #ERPNext #Vuln #AppSec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 14, 2026

šŸ”“ CVE-2026-44442 - Critical (9.9) ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-44442/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
May 14, 2026

šŸšØ CRITICAL vuln: ERPNext <16.9.1 (CVE-2026-44442) lets users with limited rights modify data due to missing authorization. Update ASAP to 16.9.1+ to fix. No known exploits yet. Details: https://radar.offseq.com/threat/cve-2026-44442-cwe-862-missing-authorization-in-fr-ebe7ec52 #OffSeq #ERPNext #Vuln #AppSec

View original post

Related Resources

Details

CVE ID
CVE-2026-44442
Severity
Critical
CVSS Score
9.9
Type
broken_access_control
Status
confirmed
EPSS
3.9%
Social Posts
4

CWE

  • CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

3.9%Probability of exploitation in the next 30 days