WRITEUP

WRITEUP

Exploit for CVE-2026-27471 - ERP <=15.98.0/16.0.0-rc.1-16.6.0 - Auth Bypass

AI Analysis

The patch addresses an authorization bypass vulnerability in ERPNext's payment request functionality by enforcing proper permission checks before creating payment requests and removing guest access from the `resend_payment_email` endpoint.

Attack Type

auth_bypass

Complexity

trivial

Reliability

reliable

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

Loading exploit code...

Download ZIP Password: eip

Source

Platform Writeup

Type patch

Files 1

https://github.com/frappe/erpnext/commit/78fc9424d9085c2eafe1211931e22d7044f85fc7

Authors

ruthra kumar

Vulnerability

CVE-2026-27471

ERP <=15.98.0/16.0.0-rc.1-16.6.0 - Auth Bypass

CRITICAL

CVSS 9.1