Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This vulnerability is fixed in 2.44.0.
Published: 2026-02-11
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized users can access the full list of batch enrolled students, exposing private email addresses and sensitive user data.
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an authorization failure that allows unauthenticated or unauthorised users to retrieve the complete list of students enrolled in a batch by their email addresses. This exposes private user information and can enable social engineering or privacy violations. The weakness is categorized as CWE‑863.

Affected Systems

The affected product is the Frappe Learning Management System (LMS) from the vendor frappe:lms. Versions prior to 2.44.0 are impacted, including all releases 2.43.x and earlier. No other vendors or products were identified.

Risk and Exploitability

The CVSS score of 1.3 reflects a low overall impact, but the disclosure of personal emails is a notable privacy concern. The EPSS score is below 1%, indicating a low likelihood of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector appears to be unauthenticated or unauthorised access to the LMS application, requiring the attacker to interact with the application’s API or web interface. Since the flaw is an authorization oversight, standard preventive controls such as proper role‑based access checks are required to mitigate exploitation.

Generated by OpenCVE AI on April 17, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe LMS to version 2.44.0 or newer, which removes the authorization flaw.
  • Ensure the application’s role‑based permissions for the batch enrollment API are configured so that only authenticated users with the appropriate role can access student lists.
  • If an immediate upgrade is not possible, consider temporarily disabling public endpoints that expose batch student information until the fix can be applied.

Generated by OpenCVE AI on April 17, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe learning
CPEs cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*
Vendors & Products Frappe learning
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe Lms
Vendors & Products Frappe
Frappe frappe Lms

Wed, 11 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This vulnerability is fixed in 2.44.0.
Title Frappe LMS affected by unauthorised user was able to access the full list of batch enrolled students
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Frappe Frappe Lms Learning
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T15:40:20.046Z

Reserved: 2026-02-09T21:36:29.556Z

Link: CVE-2026-26031

cve-icon Vulnrichment

Updated: 2026-02-12T15:40:16.585Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T22:15:52.540

Modified: 2026-02-12T17:11:21.400

Link: CVE-2026-26031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses