CVE-2026-32954 is a vulnerability classified under CWE-89, indicating improper neutralization of special elements used in SQL commands, commonly known as SQL injection. This flaw affects ERPNext, a widely used free and open-source Enterprise Resource Planning (ERP) software developed by Frappe. Specifically, versions prior to 16.8.0 and 15.100.0 contain certain endpoints that do not sufficiently validate input parameters before incorporating them into SQL queries. This improper validation allows attackers to perform time-based and boolean-based blind SQL injection attacks. Such attacks do not directly reveal data but enable attackers to infer sensitive information from the database by observing response times or boolean conditions. The vulnerability requires the attacker to have low-level privileges (PR:L) but does not require user interaction (UI:N), and it can be exploited remotely over the network (AV:N). The CVSS v3.1 base score of 7.1 reflects a high severity due to the high impact on confidentiality, limited impact on availability, and no impact on integrity. The vulnerability has been fixed in ERPNext versions 16.8.0 and 15.100.0 by improving parameter validation and sanitization to prevent injection of malicious SQL code. No public exploit code or active exploitation has been reported to date, but the potential for data leakage remains significant if unpatched systems are exposed.

The primary impact of CVE-2026-32954 is the unauthorized disclosure of sensitive database information due to blind SQL injection attacks. Organizations running vulnerable versions of ERPNext risk exposure of confidential business data, including financial records, customer information, and internal operational data. Although the vulnerability does not allow direct modification or deletion of data, the confidentiality breach can facilitate further attacks such as privilege escalation, data exfiltration, or social engineering. The attack requires only low privileges and no user interaction, increasing the likelihood of exploitation in exposed environments. The availability impact is low, but the loss of confidentiality can severely damage organizational reputation, compliance posture, and operational security. Given ERPNext’s use in diverse industries worldwide, the vulnerability could affect a broad range of sectors including manufacturing, retail, healthcare, and education.

To mitigate CVE-2026-32954, organizations should immediately upgrade ERPNext installations to versions 16.8.0 or 15.100.0 or later, where the vulnerability has been patched. In addition to patching, organizations should implement strict input validation and sanitization on all user-supplied data, especially on endpoints that interact with the database. Employing web application firewalls (WAFs) with SQL injection detection rules can provide an additional layer of defense against exploitation attempts. Regularly audit and monitor database query logs for unusual patterns indicative of blind SQL injection attempts, such as repeated time delays or boolean-based probing. Restrict database user privileges to the minimum necessary to limit the potential impact of injection attacks. Finally, conduct security awareness training for developers and administrators to ensure secure coding practices and timely application of security updates.