Description
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Before 16.17.4, any authenticated user can invoke update_onboarding_step to modify any field of any Onboarding Step record. This IDOR flaw permits privilege escalation, allowing attackers to tamper with onboarding data, compromising data integrity and potentially exposing sensitive configuration details. The weakness is a classic example of improper authorization (CWE-284).

Affected Systems

The flaw affects installations of the Frappe framework running versions earlier than 16.17.4. Any deployment using this framework is susceptible, as no vendor restriction is applied to the update interface.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score is below 1%, suggesting a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack likely requires an authenticated user with access to the application; no publicly exposed remote vector is indicated in the description.

Generated by OpenCVE AI on June 12, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frappe to version 16.17.4 or later.
  • If an immediate upgrade is not feasible, restrict application users so that only privileged roles can access the update_onboarding_step functionality.
  • Monitor system logs for unauthorized modifications to Onboarding Step records.

Generated by OpenCVE AI on June 12, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
Title Frappe: IDOR in update_onboarding_step
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:57:57.457Z

Reserved: 2026-05-08T16:23:33.264Z

Link: CVE-2026-44976

cve-icon Vulnrichment

Updated: 2026-06-12T15:57:53.636Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T16:16:28.260

Modified: 2026-06-12T16:20:22.063

Link: CVE-2026-44976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:30:06Z

Weaknesses