Description
Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Frappe allows any authenticated user to access private files by guessing the file path, leading to unauthorized disclosure of sensitive data. This flaw stems from a broken access control weakness (CWE‑284) that fails to enforce proper authorization checks on file retrieval. The ability to read arbitrary private files compromises confidentiality but does not alter the system state, so integrity and availability remain unaffected.

Affected Systems

The issue affects installations of the Frappe framework before version 16.17.4. Users on earlier releases who have any level of authenticated access, including regular users, can exploit the flaw. The vulnerability is limited to the Frappe product and does not extend to other components or third‑party integrations.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, while the EPSS value of less than 1% suggests a low likelihood that the vulnerability will be actively exploited. It is not listed in CISA KEV. The likely attack path is through an authenticated web session, where an attacker guesses or enumerates file URLs to read protected data. No specific code execution or privilege escalation is required.

Generated by OpenCVE AI on June 12, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frappe framework to version 16.17.4 or newer, which contains the access‑control fix.
  • Configure the application to enforce strict authorization checks on private file requests, ensuring only users with explicit permission can retrieve them.
  • If upgrade cannot be performed immediately, block any API endpoints or URL patterns that expose private files to prevent file path guessing until the patch is applied.

Generated by OpenCVE AI on June 12, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.
Title Frappe: Broken Access Control on Private Files
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:26:53.911Z

Reserved: 2026-05-18T22:07:37.434Z

Link: CVE-2026-47182

cve-icon Vulnrichment

Updated: 2026-06-12T16:26:50.775Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T16:16:29.500

Modified: 2026-06-12T16:17:58.070

Link: CVE-2026-47182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses