CVE-2026-44208
Deferred Deferred - Pending Action

Authentication Bypass in Frappe Framework

Vulnerability report for CVE-2026-44208, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-07-03
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
frappe frappe to 16.17.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44208 is an Insecure Direct Object Reference (IDOR) vulnerability in the submit_discussion() function of the Frappe Framework.

Due to insufficient input validation in this endpoint, attackers can exploit the flaw to gain unauthorized access to resources.

This issue affects versions of Frappe Framework prior to 16.17.0 and 15.107.0 and has been patched in these versions.

Impact Analysis

This vulnerability allows attackers to gain unauthorized access to resources within the Frappe Framework.

Such unauthorized access can lead to exposure of sensitive data or manipulation of information that should be protected.

The severity is classified as Moderate, indicating a significant risk if exploited.

Mitigation Strategies

To mitigate the CVE-2026-44208 vulnerability, you should update the Frappe Framework to version 16.17.0 or 15.107.0 or later, as these versions contain the patch that fixes the insecure direct object reference issue in the submit_discussion() endpoint.

There are no available workarounds for this issue, so applying the update is the only immediate effective mitigation step.

Detection Guidance

There are no specific detection commands or network/system scanning methods provided for this vulnerability in the available resources.

The vulnerability is an Insecure Direct Object Reference (IDOR) in the submit_discussion() endpoint of the Frappe Framework, affecting versions prior to 15.107.0 and 16.17.0.

The recommended mitigation is to update the Frappe Framework to version 15.107.0, 16.17.0, or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart