CVE-2026-44207 | Frappe is a full-stack web application framework. Prior to v… | CVSS 6.9 MEDIUM

Description

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.

Metadata

CVE ID: CVE-2026-44207
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-05 15:13 UTC
Published: 2026-06-12 14:27 UTC
Last updated: 2026-06-12 16:28 UTC
Primary CWE: CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product: frappe / frappe
Sources: cve.org · NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
frappe	frappe	—	< 15.107.0, < 16.17.0

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74 https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74