CVE-2026-31878
Server-Side Request Forgery in Frappe Framework Prior to
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | frappe | to 14.100.1 (exc) |
| frappe | frappe | From 15.0.0 (inc) to 15.100.0 (exc) |
| frappe | frappe | From 16.0.0 (inc) to 16.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31878 is a Server-Side Request Forgery (SSRF) vulnerability in the Frappe web application framework versions prior to 14.100.1, 15.100.0, and 16.6.0.
This vulnerability allows any authenticated user to send a specially crafted request to a specific endpoint, which causes the server to make an HTTP request to an arbitrary service chosen by the attacker.
The root cause is that the server does not properly validate that the requested URL is within an expected or safe destination, allowing attackers to manipulate the server into making unintended requests.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with low privileges (authenticated user) to make the server send HTTP requests to arbitrary services.
Such behavior can lead to limited data exposure since the confidentiality impact is low, but it does not affect data integrity or availability.
Because the server can be tricked into communicating with unintended services, this could be used to access internal systems or services that are not normally accessible externally.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a Server-Side Request Forgery (SSRF) that allows an authenticated user to send crafted requests causing the server to make HTTP calls to arbitrary services. Detection involves monitoring for unusual outbound HTTP requests originating from the server to unexpected or unauthorized destinations.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation by inspecting server logs for HTTP requests to endpoints that trigger SSRF and by monitoring outbound HTTP traffic for requests to suspicious or external IP addresses or domains.'}, {'type': 'paragraph', 'content': 'Example commands to help detect this vulnerability include:'}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests: tcpdump -i <interface> tcp port 80 or 443'}, {'type': 'list_item', 'content': "Searching server access logs for suspicious requests to the vulnerable endpoint (replace <logfile> and <endpoint>): grep '<endpoint>' <logfile>"}, {'type': 'list_item', 'content': 'Using curl or similar tools to test the endpoint with crafted requests if you have authentication access.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade the frappe framework to one of the fixed versions: 14.100.1, 15.100.0, or 16.6.0 or later.
Until the upgrade can be performed, consider restricting outbound HTTP requests from the server to only trusted destinations to reduce the risk of exploitation.
Additionally, review and restrict user permissions to limit authenticated users who can access the vulnerable endpoint.