Skip to main content

Frappe Press EUVDEUVD-2026-25386

| CVE-2026-41317 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-24 GitHub_M
6.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 30, 2026 - 14:53 nvd
Patch available
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 03:32 vuln.today
CVSS changed
Apr 24, 2026 - 03:22 NVD
6.6 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 03:00 euvd
EUVD-2026-25386
Analysis Generated
Apr 24, 2026 - 03:00 vuln.today
CVE Published
Apr 24, 2026 - 02:40 nvd
MEDIUM 6.6

DescriptionGitHub Advisory

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).press.api.account.create_api_secret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

AnalysisAI

Frappe Press create_api_secret endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

Frappe Press is a custom application layer built on the Frappe framework that manages cloud infrastructure, subscriptions, and SaaS deployments. The vulnerable endpoint press.api.account.create_api_secret implements database write operations (API secret creation) without enforcing HTTP method restrictions, allowing GET requests when only POST should be permitted. This violates REST conventions and creates a CSRF vector where state-changing operations can be triggered via simple hyperlinks or image tags embedded in third-party sites, requiring no user interaction beyond having an authenticated session. CWE-352 (Cross-Site Request Forgery) reflects the root cause: insufficient validation of request origin and HTTP method.

RemediationAI

Apply the patch from commit 52ea2f2d1b587be0807557e96f025f47897d00fd, which restricts the create_api_secret endpoint to POST method only, blocking GET requests. Pull the latest Frappe Press version incorporating this commit from the official repository. If immediate patching is unavailable, implement a reverse proxy rule (nginx/Apache) to reject GET requests to /api/account/create_api_secret, returning HTTP 405 Method Not Allowed. Additionally, audit existing API secrets for unauthorized creation timestamps, enforce API secret rotation policies, and monitor API secret creation logs for anomalous activity. The side effect of the POST restriction is minimal-legitimate clients must transition from GET-based calls (if any exist) to proper POST requests with CSRF tokens provided by the Frappe framework. See GitHub Security Advisory GHSA-q4wg-jrr8-vpwf for additional context and deployment notes.

Share

EUVD-2026-25386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy