CVE-2026-47182
Deferred Deferred - Pending Action

Unauthenticated File Access in Frappe Framework

Vulnerability report for CVE-2026-47182, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description

Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
frappe frappe to 16.17.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47182 is a security vulnerability in the Frappe Framework, a full-stack web application framework. The issue is a broken access control flaw that allows any authenticated user to access private files by guessing their file paths. This means that users who have logged in can potentially view files that should be restricted and private.

This vulnerability affects versions of Frappe prior to 16.17.4 and has been fixed in version 16.17.4.

Impact Analysis

This vulnerability can lead to unauthorized access to private files by any authenticated user. This could result in exposure of sensitive or confidential information that was intended to be restricted.

Since the flaw allows file access by guessing file paths, it increases the risk of data leakage and potential misuse of private data within the application.

There is no available workaround, so upgrading to version 16.17.4 or later is necessary to mitigate this risk.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Frappe Framework to version 16.17.4 or later, as this version contains the patch that fixes the broken access control issue allowing authenticated users to access private files by guessing file paths.

There is no available workaround for this vulnerability, so upgrading is the only immediate and effective mitigation step.

Compliance Impact

The vulnerability allows any authenticated user to access private files by guessing the file path, which constitutes broken access control.

Such unauthorized access to private files can lead to exposure of sensitive or personal data, potentially violating data protection regulations such as GDPR and HIPAA.

Therefore, this vulnerability could negatively impact compliance with common standards and regulations that require strict access controls and protection of private data.

Upgrading to version 16.17.4, where the issue is patched, is necessary to mitigate this compliance risk.

Detection Guidance

This vulnerability involves broken access control allowing any authenticated user to access private files by guessing the file path in Frappe Framework versions prior to 16.17.4.

To detect this vulnerability on your system, you can attempt to access private files by guessing or enumerating file paths while authenticated. If unauthorized access to private files is possible, the system is vulnerable.

There are no specific commands or automated detection tools provided in the available resources. However, a manual approach could involve using HTTP request tools like curl or wget to try accessing known or guessed private file paths with valid authentication tokens or cookies.

  • Example curl command to test access to a private file (replace placeholders accordingly):
  • curl -i -H "Cookie: session=YOUR_AUTH_SESSION_COOKIE" https://your-frappe-instance/path/to/private/file
  • If the response returns the private file content instead of an access denied error, the system is vulnerable.

Upgrading to version 16.17.4 or later is the recommended mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47182. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart