EUVD-2026-36491Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint requires only a low-privileged authenticated account (PR:L); impact is limited to integrity modification of onboarding state with no confidentiality or availability loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
AnalysisAI
Missing authorization in Frappe allows any authenticated low-privileged user to invoke the onboarding reset function and wipe onboarding state for all users system-wide, affecting all releases before 15.107.2 and 16.17.4. The CWE-862 root cause indicates the reset endpoint performs no role or privilege check before executing a privileged, system-wide operation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, active session in Frappe - any user account with the lowest privilege tier is sufficient (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 (Medium), reflecting network-accessible exploitation requiring only a low-privileged authenticated account, with no attack complexity or user interaction requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any valid Frappe user account - such as a disgruntled employee or a user whose credentials were phished - authenticates to the application and sends a single crafted HTTP request to the unprotected onboarding reset endpoint. The server, lacking authorization checks, processes the request and resets onboarding state for every user in the instance, forcing all users through setup flows on next login and potentially disrupting business operations. … |
| Remediation | Upgrade Frappe to version 15.107.2 (v15 branch) or 16.17.4 (v16 branch), as confirmed by the vendor in GitHub Security Advisory GHSA-9cxj-48g3-jx22 at https://github.com/frappe/frappe/security/advisories/GHSA-9cxj-48g3-jx22. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Share
External POC / Exploit Code
Leaving vuln.today