Description
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.
Published: 2026-04-24
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized creation of API secrets
Action: Immediate Patch
AI Analysis

Impact

Press, a Frappe custom app for Frappe Cloud, exposes its API endpoint for creating API secrets through a GET method. The endpoint writes to the database, enabling the generation of new secrets. An attacker who can trigger a CSRF or directly call the endpoint can obtain a valid API secret, which could be used for unauthorized access.

Affected Systems

The vulnerability affects Frappe Press. No specific version is listed, so any deployment that includes the unpatched “press.api.account.create_api_secret” endpoint is susceptible.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by issuing a GET request to the endpoint to generate a new API secret. The risk is unauthorized access through API secret creation.

Generated by OpenCVE AI on April 28, 2026 at 23:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Frappe Press to the version containing commit 52ea2f2d1b587be0807557e96f025f47897d00fd or later, which restricts the method to POST.
  • If an upgrade is not immediately possible, configure the web application firewall or proxy to block GET requests to the /api/account/create_api_secret endpoint, ensuring only POST is allowed.
  • Enforce CSRF protection and require authentication for the endpoint by validating a CSRF token, following CWE‑352 best practices to prevent unauthorized state changes via HTTP methods.

Generated by OpenCVE AI on April 28, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Mon, 27 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe press
Vendors & Products Frappe
Frappe press

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.
Title Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Frappe Press
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T12:05:33.679Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41317

cve-icon Vulnrichment

Updated: 2026-04-24T12:05:30.578Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:12.113

Modified: 2026-04-30T14:53:51.787

Link: CVE-2026-41317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses