Description
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the Frappe framework allows an attacker to execute the 'relink' and 'set_email_password' endpoints without proper permission checks. The lack of authentication permits an unauthenticated or low‑privileged user to modify email credentials or re‑associate accounts, leading to potential compromise of user accounts, data exfiltration, or service disruption. The weakness correlates with CWE‑862, indicating missing access control.

Affected Systems

The affected product is the Frappe framework, specifically versions earlier than 15.107.0 for the 15.x series and earlier than 16.17.0 for the 16.x series. Administrators should verify which major release they are running and the patch level to confirm exposure.

Risk and Exploitability

The CVSS score of 6.9 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation but the CVE is not listed in CISA KEV. Attackers could exploit the flaw via HTTP requests to the vulnerable endpoints if they can discover them, likely through fuzzing or known integration points. Due to the absence of authentication, the vulnerability has wide‑ranging impact across all users of the affected installations.

Generated by OpenCVE AI on June 12, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frappe installation to version 15.107.0 or newer (or 16.17.0 or newer for the 16.x series).
  • Confirm that no custom code overrides the 'relink' and 'set_email_password' endpoints that might re‑introduce the missing permission checks.
  • Restrict network or application access to the '/relink' and '/set_email_password' routes until the patch is applied.
  • Audit any customizations or plugins that interact with these endpoints to ensure they implement proper access controls.

Generated by OpenCVE AI on June 12, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe frappe
Vendors & Products Frappe
Frappe frappe

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Title Frappe: Lack of permissions checks in 'relink' and 'set_email_password' endpoints
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frappe Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:07:17.900Z

Reserved: 2026-06-02T22:46:02.580Z

Link: CVE-2026-50026

cve-icon Vulnrichment

Updated: 2026-06-12T16:07:15.058Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T16:16:31.580

Modified: 2026-06-12T16:17:58.070

Link: CVE-2026-50026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:30:06Z

Weaknesses