Description
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Exposure
Action: Immediate Patch
AI Analysis

Impact

Frappe is a full-stack web application framework that, prior to releases 16.14.0 and 15.104.0, allows unrestricted access to any Doctype through its API. The vulnerability is classified as CWE-862 (Missing Function- or Role-Level Access Control) and permits an attacker to read the full contents of any document type, potentially revealing sensitive business or personal data.

Affected Systems

All installations of the Frappe framework running any version earlier than 16.14.0 or 15.104.0 are affected. No restriction on deployment environment is mentioned; the issue applies wherever the default API endpoints are accessible.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity; the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The description does not state whether authentication is required, so it is uncertain whether the flaw can be exercised without valid credentials. The most likely attack vector is the web API exposed by the application, requiring network access to the Frappe instance. The vulnerability is not listed in CISA’s KEV catalog, and no public exploit is known.

Generated by OpenCVE AI on April 10, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Frappe 16.14.0 or later, or 15.104.0 or later.
  • After upgrading, confirm that API requests no longer return unrestricted Doctype data by testing sample endpoints.
  • If an immediate upgrade is not possible, temporarily limit or disable Doctype-related API endpoints until the patch can be applied.

Generated by OpenCVE AI on April 10, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.
Title Frappe allows unrestricted Doctype access via API exploit
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:10:37.051Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39351

cve-icon Vulnrichment

Updated: 2026-04-09T16:09:54.724Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T19:16:46.213

Modified: 2026-04-10T19:30:28.580

Link: CVE-2026-39351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:22Z

Weaknesses