Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
Published: 2026-02-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of unpublished course details
Action: Patch
AI Analysis

Impact

In Frappe Learning Management System versions 2.44.0 and earlier, a flaw in the API allows users without proper authorization to retrieve detailed information about courses that are still unpublished. This results in an information‑disclosure vulnerability that could reveal sensitive course outlines, metadata, or other preliminary content. The weakness stems from insufficient access control (CWE‑284) and the lack of proper privilege checks (CWE‑862).

Affected Systems

Affected are installations of Frappe LMS at or below version 2.44.0. The issue is tied to the core API endpoints that expose course details. Users who do not meet the required role or permission threshold can trigger the leak. No other product versions are listed as affected in the advisory.

Risk and Exploitability

The severity score of 6.9 is moderate, and the EPSS score indicates a very low probability of exploitation (<1%). The vulnerability is not currently listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending crafted HTTP requests to the publicly reachable API endpoints; no additional privileges or exploits are required beyond unauthenticated access. Because the vulnerability is tied to API calls, the likely vector is the network layer, and an attacker only needs to observe or guess a known endpoint. The overall risk remains limited but the detail exposure mandates a remedial action.

Generated by OpenCVE AI on April 17, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe LMS to version 2.45.0 or later, which includes the authorized‑access fix for unpublished courses.
  • Configure access control on the LMS API to allow only authenticated users with appropriate roles to call course‑detail endpoints.
  • Review existing API permissions and ensure that endpoints returning course data perform role checks; remove or restrict access to discovery endpoints for unpublished content.

Generated by OpenCVE AI on April 17, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe learning
CPEs cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*
Vendors & Products Frappe learning
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe lms
Vendors & Products Frappe
Frappe lms

Fri, 20 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
Title Frappe Learning Management System exposes details of unpublished courses to unauthorized users
Weaknesses CWE-284
CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Learning Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:35:48.470Z

Reserved: 2026-02-17T01:41:24.604Z

Link: CVE-2026-26977

cve-icon Vulnrichment

Updated: 2026-02-20T15:31:47.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T02:16:54.057

Modified: 2026-02-20T16:33:11.057

Link: CVE-2026-26977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses