Description
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An IDOR vulnerability in the Frappe framework lets an authenticated user read the email configuration details of other users, exposing information such as email addresses and other email‑related settings. The weakness is a Direct Object Reference (CWE‑639).

Affected Systems

All builds of the Frappe framework older than version 15.107.0 in the 15.x line and before 16.17.0 in the 16.x line are affected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. Because the flaw requires an authenticated user, an attacker must first obtain valid credentials to exploit the vulnerability. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe to version 15.107.0 or newer, or 16.17.0 or newer, to apply the fix.
  • Implement tighter access controls so that only privileged users can read or modify email configuration data.
  • Monitor application logs for anomalies that might indicate unauthorized reads of email configuration information.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
Title Frappe: Insecure Direct Object Reference for email accounts
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:28:29.384Z

Reserved: 2026-05-05T15:13:47.571Z

Link: CVE-2026-44207

cve-icon Vulnrichment

Updated: 2026-06-12T16:27:54.070Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T16:16:27.713

Modified: 2026-06-12T16:17:58.070

Link: CVE-2026-44207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:00:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key