IDOR Vulnerability in Frappe Framework Exposes Email Configurations
CVE-2026-44207

6.9MEDIUM

Key Information:

Vendor

Frappe

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44207?

The Frappe Framework is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability, which permits authenticated users to access email configuration details of other users without proper authorization. This flaw compromises user privacy as it enables unauthorized information disclosure. It has been addressed in Frappe Framework versions 15.107.0 and 16.17.0, so users are urged to update to these versions to mitigate the risk.

Affected Version(s)

frappe < 15.107.0 < 15.107.0

frappe < 16.17.0 < 16.17.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.