CVE-2026-47182
Deferred Deferred - Pending Action
Unauthenticated File Access in Frappe Framework

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47182
EUVD
EUVD-2026-36495
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe frappe to 16.17.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47182 is a security vulnerability in the Frappe Framework, a full-stack web application framework. The issue is a broken access control flaw that allows any authenticated user to access private files by guessing their file paths. This means that users who have logged in can potentially view files that should be restricted and private.

This vulnerability affects versions of Frappe prior to 16.17.4 and has been fixed in version 16.17.4.

Impact Analysis

This vulnerability can lead to unauthorized access to private files by any authenticated user. This could result in exposure of sensitive or confidential information that was intended to be restricted.

Since the flaw allows file access by guessing file paths, it increases the risk of data leakage and potential misuse of private data within the application.

There is no available workaround, so upgrading to version 16.17.4 or later is necessary to mitigate this risk.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Frappe Framework to version 16.17.4 or later, as this version contains the patch that fixes the broken access control issue allowing authenticated users to access private files by guessing file paths.

There is no available workaround for this vulnerability, so upgrading is the only immediate and effective mitigation step.

Compliance Impact

The vulnerability allows any authenticated user to access private files by guessing the file path, which constitutes broken access control.

Such unauthorized access to private files can lead to exposure of sensitive or personal data, potentially violating data protection regulations such as GDPR and HIPAA.

Therefore, this vulnerability could negatively impact compliance with common standards and regulations that require strict access controls and protection of private data.

Upgrading to version 16.17.4, where the issue is patched, is necessary to mitigate this compliance risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47182. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart