CVE-2026-29081
SQL Injection in Frappe Framework Endpoint Allows Data Exposure
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | frappe | to 14.100.1 (exc) |
| frappe | frappe | From 15.0.0 (inc) to 15.100.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29081 is a moderate severity SQL injection vulnerability in the Frappe web application framework versions prior to 14.100.1 and 15.100.0.
The vulnerability occurs because of improper sanitization of field names in SQL queries, which allows specially crafted requests to inject malicious SQL code.
This means an attacker can manipulate the SQL commands executed by the application to extract sensitive information from the database.
The attack does not require user interaction and can be performed remotely over the network with low complexity, although low privileges are needed.
The issue is identified as CWE-89, which involves improper neutralization of special elements in SQL commands.
The vulnerability has been fixed by upgrading to versions 14.100.1 or 15.100.0 of Frappe.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to extract sensitive information from your database without your knowledge.
Since the confidentiality impact is high, sensitive data such as user information, credentials, or business data could be exposed.
However, the vulnerability does not affect the integrity or availability of the system, meaning it does not allow data modification or denial of service.
The attack can be performed remotely with low complexity and requires only low privileges, increasing the risk of exploitation.
To mitigate this risk, it is necessary to upgrade to the patched versions 14.100.1 or 15.100.0.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you must upgrade the frappe package to version 14.100.1 or 15.100.0 or later.
There are no workarounds available, so applying the patch by upgrading is the only effective mitigation.