CVE-2026-44208
Deferred Deferred - Pending Action
Authentication Bypass in Frappe Framework

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44208
EUVD
EUVD-2026-36485
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe frappe to 16.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44208 is an Insecure Direct Object Reference (IDOR) vulnerability in the submit_discussion() function of the Frappe Framework.

Due to insufficient input validation in this endpoint, attackers can exploit the flaw to gain unauthorized access to resources.

This issue affects versions of Frappe Framework prior to 16.17.0 and 15.107.0 and has been patched in these versions.

Impact Analysis

This vulnerability allows attackers to gain unauthorized access to resources within the Frappe Framework.

Such unauthorized access can lead to exposure of sensitive data or manipulation of information that should be protected.

The severity is classified as Moderate, indicating a significant risk if exploited.

Mitigation Strategies

To mitigate the CVE-2026-44208 vulnerability, you should update the Frappe Framework to version 16.17.0 or 15.107.0 or later, as these versions contain the patch that fixes the insecure direct object reference issue in the submit_discussion() endpoint.

There are no available workarounds for this issue, so applying the update is the only immediate effective mitigation step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart