CVE-2026-44976
Deferred Deferred - Pending Action
Privilege Escalation in Frappe Framework

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44976
EUVD
EUVD-2026-36493
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe frappe to 16.17.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) issue in the Frappe framework, specifically in the update_onboarding_step function.

It allows any authenticated user to modify any field in any Onboarding Step record, which means users can make unauthorized changes to the onboarding process of the application.

This issue affects versions of Frappe prior to 16.17.4 and has been fixed in version 16.17.4.

Impact Analysis

The vulnerability can lead to unauthorized modifications in the onboarding steps of an application using the Frappe framework.

Such unauthorized changes could disrupt the onboarding process, potentially causing confusion, incorrect user setup, or security issues within the application.

Because any authenticated user can exploit this, it increases the risk of insider threats or compromised accounts making unauthorized changes.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Frappe framework to version 16.17.4 or later, where the issue has been patched.

This update fixes the Insecure Direct Object Reference (IDOR) vulnerability that allowed any authenticated user to modify any field in any Onboarding Step record.

Compliance Impact

The vulnerability allows any authenticated user to modify any field in any Onboarding Step record, which could lead to unauthorized changes in the application's onboarding process.

Such unauthorized modifications may impact data integrity and access controls, which are important aspects of compliance with standards like GDPR and HIPAA.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Detection Guidance

This vulnerability allows any authenticated user to modify any field in any Onboarding Step record in Frappe versions prior to 16.17.4. Detection involves verifying the version of the Frappe framework in use and checking for unauthorized modifications to Onboarding Step records.

To detect if your system is vulnerable, first identify the Frappe version running on your system. If it is earlier than 16.17.4, the system is vulnerable.

Example command to check the Frappe version (assuming command line access to the environment):

  • frappe --version

To detect unauthorized changes to Onboarding Step records, you can query the database for recent modifications or audit logs if available. For example, using SQL commands to check modification timestamps or user activity on the onboarding_step table.

  • SELECT * FROM onboarding_step WHERE modified > 'YYYY-MM-DD';

Replace 'YYYY-MM-DD' with the date from which you want to check for suspicious changes.

Note: Specific commands may vary depending on your deployment and database setup.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart