Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).press.api.account.create_api_secret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.
AnalysisAI
Frappe Press create_api_secret endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
Frappe Press is a custom application layer built on the Frappe framework that manages cloud infrastructure, subscriptions, and SaaS deployments. The vulnerable endpoint press.api.account.create_api_secret implements database write operations (API secret creation) without enforcing HTTP method restrictions, allowing GET requests when only POST should be permitted. This violates REST conventions and creates a CSRF vector where state-changing operations can be triggered via simple hyperlinks or image tags embedded in third-party sites, requiring no user interaction beyond having an authenticated session. CWE-352 (Cross-Site Request Forgery) reflects the root cause: insufficient validation of request origin and HTTP method.
RemediationAI
Apply the patch from commit 52ea2f2d1b587be0807557e96f025f47897d00fd, which restricts the create_api_secret endpoint to POST method only, blocking GET requests. Pull the latest Frappe Press version incorporating this commit from the official repository. If immediate patching is unavailable, implement a reverse proxy rule (nginx/Apache) to reject GET requests to /api/account/create_api_secret, returning HTTP 405 Method Not Allowed. Additionally, audit existing API secrets for unauthorized creation timestamps, enforce API secret rotation policies, and monitor API secret creation logs for anomalous activity. The side effect of the POST restriction is minimal-legitimate clients must transition from GET-based calls (if any exist) to proper POST requests with CSRF tokens provided by the Frappe framework. See GitHub Security Advisory GHSA-q4wg-jrr8-vpwf for additional context and deployment notes.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25386