Description
Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Broken access control allowing users to grant others unauthorized permissions to documents
Action: Immediate patch
AI Analysis

Impact

The vulnerability allows a user to share a document with a permission level that the user does not possess, effectively bypassing the access control enforced by the application. As a result, the user may gain unauthorized access to documents that contain sensitive information. This flaw is classified as an improper access control weakness (CWE‑284) and a resource access control issue (CWE‑602).

Affected Systems

The issue affects the Frappe web application framework. Versions earlier than 15.98.0, and versions earlier than 14.100.0, are vulnerable. The fix is included in Frappe 15.98.0 and 14.100.0 and later releases.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1 % suggests the likelihood of exploitation is low in the short term. This vulnerability is not listed in the CISA catalog of known exploited vulnerabilities, implying no confirmed high‑profile exploitation. Attackers would need to be authenticated users of the application. Exploitation is achieved by selecting a higher permission level when sharing a document, which the system does not validate against the user’s own privileges. Monitoring for abnormal document sharing permissions is advised, but the primary mitigation is to apply the vendor’s patch.

Generated by OpenCVE AI on April 17, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe to version 15.98.0 or 14.100.0 or later to remove the validation flaw.
  • If an immediate upgrade is not possible, disable the DocShare functionality or enforce stricter permission checks so that users cannot assign permissions higher than their own.
  • Review and remove any custom code or scripts that bypass access control checks for document sharing to ensure rigorous authorization enforcement.

Generated by OpenCVE AI on April 17, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.
Title Frappe: Broken Access Control in DocShare
Weaknesses CWE-284
CWE-602
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T17:02:25.318Z

Reserved: 2026-03-03T20:51:43.483Z

Link: CVE-2026-29077

cve-icon Vulnrichment

Updated: 2026-03-06T17:02:21.716Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:22.790

Modified: 2026-03-09T19:04:25.283

Link: CVE-2026-29077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses