CVE-2026-29077 in Frappe
Summary
by MITRE • 03/05/2026
Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/10/2026
The vulnerability identified as CVE-2026-29077 resides within the Frappe web application framework, a full-stack development platform widely used for building business applications. This security flaw represents a critical access control issue that undermines the fundamental security model of document sharing within the platform. The vulnerability specifically affects versions prior to 15.98.0 and 14.100.0, indicating that the developers recognized and addressed this weakness in their subsequent releases. The core problem manifests when users attempt to share documents with other users, creating a scenario where privilege escalation can occur through improper access control validation.
The technical flaw stems from insufficient input validation during the document sharing process, allowing malicious or unauthorized users to grant permissions to documents that they themselves do not possess. This represents a classic case of privilege escalation where users can effectively bypass the normal access control mechanisms that should prevent them from sharing content they cannot access themselves. The vulnerability creates a scenario where users can share documents with read, write, or administrative permissions that exceed their own capabilities, potentially leading to unauthorized data exposure or manipulation. This flaw directly violates the principle of least privilege and demonstrates a failure in the authorization validation process.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates potential pathways for data integrity compromise and unauthorized access to sensitive business information. An attacker exploiting this vulnerability could potentially share confidential documents with other users who should not have access, or even grant themselves elevated permissions they do not legitimately possess. This weakness particularly affects organizations relying on Frappe for business-critical applications where document sharing and access control are fundamental to operational security. The vulnerability could enable insider threats or external attackers to gain unauthorized access to sensitive business data, potentially leading to data breaches, compliance violations, and financial losses.
Organizations utilizing Frappe frameworks must implement immediate mitigation strategies including mandatory updates to versions 15.98.0 or 14.100.0 to address this vulnerability. Additionally, security teams should conduct comprehensive audits of existing document sharing configurations to identify any potential misuse of this vulnerability. The remediation process should include reviewing all document sharing permissions and implementing stricter access control policies. Organizations should also consider implementing monitoring solutions to detect unusual sharing patterns or permission changes that might indicate exploitation attempts. This vulnerability aligns with CWE-284, which describes improper access control, and represents a clear violation of the principle of least privilege. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques where adversaries leverage insufficient access controls to gain unauthorized permissions. The fix implemented by the Frappe development team addresses the root cause by enforcing proper validation of user permissions before allowing document sharing operations, ensuring that users cannot grant access they themselves do not possess.