CVE-2026-44975
Deferred Deferred - Pending Action
Authentication Bypass in Frappe Framework

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44975
EUVD
EUVD-2026-36491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe frappe to 16.17.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability in the Frappe framework allows any authenticated user to reset the onboarding process for all users in the system due to missing authorization checks on a reset form for tours.

It affects versions prior to 15.107.2 and 16.17.4 and has been classified as a low severity issue.

Impact Analysis

The vulnerability could allow an authenticated user to disrupt the onboarding experience for all users by resetting their onboarding status, potentially causing confusion or workflow interruptions.

Detection Guidance

This vulnerability involves missing authorization checks on a reset form for onboarding tours in the Frappe framework, allowing any authenticated user to reset onboarding for all users.

To detect if your system is vulnerable, you should first identify the version of Frappe running on your system. Versions prior to 15.107.2 and 16.17.4 are affected.

You can check the Frappe version by running a command on the server hosting the application, such as:

  • frappe --version

Additionally, monitoring logs for any unauthorized or unusual reset onboarding requests by authenticated users could help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade your Frappe framework to version 15.107.2 or 16.17.4 or later, where the vulnerability has been patched.

Until you can upgrade, restrict access to the reset onboarding functionality to trusted users only, if possible, and monitor for any suspicious activity related to onboarding resets.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44975. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart