CVE-2026-26977
Received Received - Intake
Unauthorized API Access to Unpublished Courses in Frappe LMS

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26977
EUVD
EUVD-2026-8402
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe learning From 2.0.0 (inc) to 2.45.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26977 is a security vulnerability in the Frappe Learning Management System (LMS) versions 2.44.0 and below. It allows unauthorized users to access details of unpublished courses via API endpoints. This means that sensitive course information, which should be restricted to administrators and enrolled students, could be viewed by anyone without proper permissions.

The issue was fixed in version 2.45.0 by adding a check in the API to ensure that only administrators and enrolled students can access unpublished course details.

Impact Analysis

This vulnerability can impact you by exposing sensitive or confidential course information that is not yet published or intended for public access. Unauthorized users could retrieve details about unpublished courses, potentially leading to information leakage or misuse of course content.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to unpublished course details via API endpoints in Frappe LMS versions 2.44.0 and below.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system or network, you can attempt to access unpublished course details through the LMS API without authentication or with a non-privileged user account.'}, {'type': 'paragraph', 'content': 'For example, you might use curl or similar HTTP request tools to query the API endpoints that return course details and check if unpublished courses are accessible.'}, {'type': 'list_item', 'content': 'curl -X GET "https://your-frappe-lms-instance/api/courses/{unpublished_course_id}"'}, {'type': 'list_item', 'content': 'Check the response for course details that should be restricted.'}, {'type': 'paragraph', 'content': 'If unpublished course details are returned without proper authorization, the system is vulnerable.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Frappe LMS to version 2.45.0 or later, where the vulnerability has been fixed.

The fix includes an API endpoint check that restricts access to unpublished course details only to administrators and enrolled students.

Until the upgrade is possible, consider restricting access to the API endpoints that expose course details, for example by implementing network-level access controls or authentication enforcement.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart