CVE-2026-29077
Received Received - Intake
Improper Permission Validation in Frappe Document Sharing

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29077
EUVD
EUVD-2026-9882
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
frappe frappe to 14.100.0 (exc)
frappe frappe From 15.0.0 (inc) to 15.98.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29077 is a broken access control vulnerability in the DocShare component of the Frappe framework. It occurs because the system does not properly validate permissions when a user shares a document. This means a user can share a document with permissions that they themselves do not have, allowing unauthorized modification of document permissions and compromising data integrity.

Impact Analysis

This vulnerability can impact you by allowing users with limited permissions to escalate their access rights on shared documents. Specifically, an attacker could modify document permissions without proper authorization, leading to unauthorized changes and potential data integrity issues. The vulnerability has a high severity with a CVSS score of 7.1, and it can be exploited remotely with low complexity and low privileges, without requiring user interaction.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves improper validation during document sharing in the Frappe framework, allowing users to share documents with permissions they do not have. Detection would involve monitoring or auditing document sharing actions to identify cases where users have granted permissions beyond their own.

Since the issue is related to broken access control in the DocShare component, detection might include reviewing logs or database entries for document sharing events where permission escalation occurs.

No specific commands or detection tools are provided in the available resources.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade the Frappe framework to the patched versions 15.98.0 or 14.100.0, which fix the validation flaw in document sharing.

Upgrading ensures proper validation of permissions when sharing documents, preventing unauthorized permission escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart