Authorization Bypass in Frappe Web Application Framework
CVE-2026-44976

5.3MEDIUM

Key Information:

Vendor

Frappe

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44976?

The Frappe web application framework exhibits a vulnerability allowing any user to modify any field in any Onboarding Step record prior to version 16.17.4. This flaw undermines the integrity of user permissions and could lead to unauthorized changes within the application. To mitigate this risk, it is crucial that users update to version 16.17.4 or later, where this issue has been addressed. For more information, please refer to the advisory provided in the references.

Affected Version(s)

frappe < 16.17.4

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.