Skip to main content

Frappe Framework CVE-2026-49394

| EUVDEUVD-2026-43105 HIGH
Missing Authorization (CWE-862)
2026-07-10 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable endpoint (AV:N) with low complexity, but a valid low-privilege account is required (PR:L); impact is integrity-only tampering of public workspaces, so C:N/I:H/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:55 vuln.today

DescriptionCVE.org

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.

AnalysisAI

Broken access control in the Frappe framework (all versions prior to 16.19.0) lets a low-privileged authenticated user modify public Workspaces they should not control, because the update_page endpoint failed to enforce the Workspace Manager edit permission on public workspaces. Any user able to reach the endpoint can alter shared workspace layout and content, an integrity-only impact with no data disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege Frappe user
Exploit
Send crafted request to update_page
Execution
Bypass missing Workspace Manager check
Impact
Modify public workspace configuration

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Frappe account (CVSS PR:L) that can reach the Workspace update_page endpoint, and the target must be a public (shared) Workspace - private workspaces already enforced the check and are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N, score 7.1) tells a consistent story: network-reachable, low complexity, requires an authenticated low-privilege account, no user interaction, and a pure integrity impact with no confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with an ordinary low-privilege Frappe account - but without the Workspace Manager role - sends a crafted request to the update_page endpoint targeting a public Workspace and successfully saves changes to it, altering the shared dashboard/navigation seen by the whole organization. No public POC is known, but the low attack complexity and lack of required user interaction make it trivial for any authenticated user to attempt.
Remediation Vendor-released patch: 16.19.0 - upgrade the Frappe framework to v16.19.0 or later (https://github.com/frappe/frappe/releases/tag/v16.19.0), which adds the missing Workspace Manager edit check to the public-workspace path; the underlying fixes are in PRs https://github.com/frappe/frappe/pull/39508 and https://github.com/frappe/frappe/pull/39526 and commits 2471d94c397dc23301b30ed3bb30353f53b33f2c and 6eba29d7ae80cdb4d0b2a245a477b1d2312736ca. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Frappe instances running versions prior to 16.19.0 and identify those with shared public Workspaces. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Frappe

View all
CVE-2025-67289 CRITICAL POC
9.6 Dec 22

Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on

CVE-2026-39352 HIGH POC
8.7 May 20

Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrie

CVE-2025-56381 MEDIUM POC
6.5 Oct 02

ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportv

CVE-2025-56380 MEDIUM POC
6.5 Oct 02

Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the fra

CVE-2025-52048 MEDIUM POC
6.5 Sep 15

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py

CVE-2022-41712 MEDIUM POC
6.5 Nov 25

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. Rated medium severity (CVSS

CVE-2019-15700 MEDIUM POC
6.1 Aug 27

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and

CVE-2026-31877 CRITICAL
9.8 Mar 11

SQL injection in Frappe framework before 15.84.0/14.99.0.

CVE-2019-14965 CRITICAL
9.8 Aug 12

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. Rated critical severity (CVSS 9.8), this vulner

CVE-2025-56379 MEDIUM POC
5.4 Oct 02

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execu

CVE-2026-35614 CRITICAL
9.3 Apr 07

SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL command

CVE-2025-65267 CRITICAL
9.0 Dec 03

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to

Share

CVE-2026-49394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy