CVE-2026-26977
Unauthorized API Access to Unpublished Courses in Frappe LMS
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | From 2.0.0 (inc) to 2.45.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26977 is a security vulnerability in the Frappe Learning Management System (LMS) versions 2.44.0 and below. It allows unauthorized users to access details of unpublished courses via API endpoints. This means that sensitive course information, which should be restricted to administrators and enrolled students, could be viewed by anyone without proper permissions.
The issue was fixed in version 2.45.0 by adding a check in the API to ensure that only administrators and enrolled students can access unpublished course details.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive or confidential course information that is not yet published or intended for public access. Unauthorized users could retrieve details about unpublished courses, potentially leading to information leakage or misuse of course content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to unpublished course details via API endpoints in Frappe LMS versions 2.44.0 and below.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system or network, you can attempt to access unpublished course details through the LMS API without authentication or with a non-privileged user account.'}, {'type': 'paragraph', 'content': 'For example, you might use curl or similar HTTP request tools to query the API endpoints that return course details and check if unpublished courses are accessible.'}, {'type': 'list_item', 'content': 'curl -X GET "https://your-frappe-lms-instance/api/courses/{unpublished_course_id}"'}, {'type': 'list_item', 'content': 'Check the response for course details that should be restricted.'}, {'type': 'paragraph', 'content': 'If unpublished course details are returned without proper authorization, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Frappe LMS to version 2.45.0 or later, where the vulnerability has been fixed.
The fix includes an API endpoint check that restricts access to unpublished course details only to administrators and enrolled students.
Until the upgrade is possible, consider restricting access to the API endpoints that expose course details, for example by implementing network-level access controls or authentication enforcement.