Description
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inspection of Frappe reveals a missing authorization check on the endpoint that resets onboarding tours. Any authenticated user may trigger the reset process for all users, allowing unauthorized alteration of user onboarding settings. This privilege escalation flaw lets an attacker remove custom onboarding workflows from the system, reducing the effectiveness of user training and potentially revealing sensitive system usage patterns.

Affected Systems

The vulnerability affects the Frappe full‑stack web application framework. The issue exists in all versions prior to 15.107.2 of Frappe 15 and prior to 16.17.4 of Frappe 16, meaning that systems running any earlier releases are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. It is not listed in the CISA KEV catalog. Because the flaw requires an authenticated user, the likely attack vector is that an attacker already possessing valid credentials can lever the reset functionality to modify onboarding settings across the system. The documented exploitability assumes the attacker can reach the reset endpoint, which is accessible to all authenticated sessions.

Generated by OpenCVE AI on June 12, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the published patches that ship in Frappe 15.107.2 or 16.17.4 so that the reset onboarding endpoint requires proper authorization.
  • If upgrading cannot be performed immediately, temporarily restrict the reset onboarding functionality by removing the permission from roles that are not required to manage onboarding.
  • Continuously monitor authentication and reset logs for any unauthorized or unexpected reset activity and investigate promptly.

Generated by OpenCVE AI on June 12, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
Title Frappe: Missing authorization on reset form tours
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:43:56.354Z

Reserved: 2026-05-08T16:23:33.264Z

Link: CVE-2026-44975

cve-icon Vulnrichment

Updated: 2026-06-12T16:43:53.009Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T16:16:28.120

Modified: 2026-06-12T16:17:58.070

Link: CVE-2026-44975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses