Description
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing validation in the submit_discussion endpoint of the Frappe web framework allows an attacker to submit or read discussions without proper authorization, exploiting an IDOR weakness identified by CWE‑284 and CWE‑285. By manipulating request parameters, the attacker can gain access to resources reserved for other users or to create new discussions that they should not be able to create. The impact is a breach of confidentiality and potential integrity of discussion data, enabling unauthorized disclosure and manipulation of organizational communication.

Affected Systems

The vulnerability applies to the Frappe framework, specifically all releases prior to 15.107.0 and 16.17.0. Administrators running versions 15.x below 15.107.0 or 16.x below 16.17.0 should consider themselves at risk and evaluate their deployment for the presence of the submit_discussion endpoint.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity, and the EPSS score of less than 1% suggests a very low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Nonetheless, because the flaw is an IDOR, an attacker with knowledge of discussion identifiers can bypass security controls, potentially compromising sensitive information. Risk is heightened if users have broad access rights or if the submit_discussion endpoint is exposed to external networks.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Frappe 15.107.0 or later, or 16.17.0 or later, which contain the patch for submit_discussion IDOR.
  • Verify that the submit_discussion endpoint requires authenticated access and is protected by proper role checks; adjust routing or middleware as needed to prevent unauthenticated calls.
  • Enable and monitor audit logging for discussion creation and modification events to detect any unauthorized activity.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Title Frappe: IDOR in `submit_discussion()`
Weaknesses CWE-284
CWE-285
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:26:17.323Z

Reserved: 2026-05-05T15:13:47.571Z

Link: CVE-2026-44208

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-12T16:16:27.843

Modified: 2026-06-12T16:17:58.070

Link: CVE-2026-44208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:00:07Z

Weaknesses