Cross-Site Request Forgery Vulnerability in Frappe Cloud Product
CVE-2026-41317

6.6MEDIUM

Key Information:

Vendor: Frappe
Status: Press
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41317?

The Press app, a custom application running on Frappe Cloud, suffers from a significant vulnerability that exposes the press.api.account.create_api_secret endpoint to potential CSRF-like attacks. This critical endpoint, which is responsible for creating API secrets, can be accessed using the GET method, allowing unauthorized requests to be executed that may write to the database. A security patch has been introduced to mitigate this risk by restricting access to the endpoint to POST requests only. This change aims to enhance the security posture of the application by preventing misuse that could lead to unauthorized modifications.

Affected Version(s)

press < 52ea2f2d1b587be0807557e96f025f47897d00fd

References

https://github.com/frappe/press/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/frappe/press/commit/52ea2f2d1b587be080...

x_refsource_MISC

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41317 Data

JSON