EUVD-2026-36487Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable IDOR requiring authenticated session (PR:L); read-only confidentiality impact limited to email config data; no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
AnalysisAI
Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration details of arbitrary users to any authenticated account. The flaw exists in versions prior to 15.107.0 (v15 branch) and 16.17.0 (v16 branch), allowing a low-privilege authenticated attacker to enumerate and read email settings belonging to other users by manipulating object references in requests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated session on the Frappe instance - any user account regardless of role or privilege level is sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (6.9, AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) indicates no privileges required, which directly conflicts with the CVE description stating exploitation requires an authenticated user - this discrepancy should be verified against the vendor advisory at GHSA-cw6v-39qx-7r74. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any valid Frappe account - such as a low-privilege employee or contractor account in an ERPNext deployment - sends a crafted HTTP request to the email configuration retrieval endpoint, substituting another user's record identifier for their own. The server returns the target user's email configuration details, potentially including stored SMTP credentials or OAuth tokens, without validating ownership. … |
| Remediation | Upgrade Frappe to version 15.107.0 (v15 branch) or 16.17.0 (v16 branch) - these are the vendor-confirmed patched releases per the GitHub security advisory at https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthe
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browser
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthen
Share
External POC / Exploit Code
Leaving vuln.today