CVE-2026-29077
Improper Permission Validation in Frappe Document Sharing
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | frappe | to 14.100.0 (exc) |
| frappe | frappe | From 15.0.0 (inc) to 15.98.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with limited permissions to escalate their access rights on shared documents. Specifically, an attacker could modify document permissions without proper authorization, leading to unauthorized changes and potential data integrity issues. The vulnerability has a high severity with a CVSS score of 7.1, and it can be exploited remotely with low complexity and low privileges, without requiring user interaction.
Can you explain this vulnerability to me?
CVE-2026-29077 is a broken access control vulnerability in the DocShare component of the Frappe framework. It occurs because the system does not properly validate permissions when a user shares a document. This means a user can share a document with permissions that they themselves do not have, allowing unauthorized modification of document permissions and compromising data integrity.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade the Frappe framework to the patched versions 15.98.0 or 14.100.0, which fix the validation flaw in document sharing.
Upgrading ensures proper validation of permissions when sharing documents, preventing unauthorized permission escalation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper validation during document sharing in the Frappe framework, allowing users to share documents with permissions they do not have. Detection would involve monitoring or auditing document sharing actions to identify cases where users have granted permissions beyond their own.
Since the issue is related to broken access control in the DocShare component, detection might include reviewing logs or database entries for document sharing events where permission escalation occurs.
No specific commands or detection tools are provided in the available resources.