CVE-2026-39351 in Frappe
Summary
by MITRE • 04/07/2026
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/07/2026
The vulnerability identified as CVE-2026-39351 affects the Frappe web application framework, a full-stack development platform widely used for building business applications. This security flaw represents a critical access control weakness that enables unauthorized users to bypass normal restrictions and gain unrestricted access to Document Type (Doctype) data through the application programming interface. The vulnerability specifically impacts versions prior to 16.14.0 and 15.104.0, indicating that users operating within these older releases face significant security risks.
The technical flaw stems from insufficient authorization checks within the API endpoints that handle Doctype operations. When users make requests to the Frappe framework's API, the system should validate whether the requesting user has proper permissions to access or modify specific document types. However, this vulnerability allows malicious actors to craft API requests that circumvent these authorization mechanisms, effectively granting them access to any Doctype within the system regardless of their actual user permissions or roles. This represents a fundamental breakdown in the framework's access control model and violates core security principles of least privilege and authorization enforcement.
The operational impact of this vulnerability is severe and multifaceted. Attackers can exploit this weakness to extract sensitive business data, including customer information, financial records, and proprietary business documents that should be restricted to authorized personnel only. The unrestricted access extends to read, write, and delete operations, potentially allowing for data manipulation, theft, or destruction. This vulnerability particularly affects organizations using Frappe for mission-critical applications such as ERP systems, CRM platforms, and custom business solutions where data integrity and confidentiality are paramount. The exposure creates opportunities for data breaches, regulatory compliance violations, and potential financial losses due to unauthorized access to sensitive information.
Organizations should immediately upgrade to Frappe versions 16.14.0 or 15.104.0, whichever is applicable to their current deployment, to remediate this vulnerability. Security teams should also implement additional monitoring of API access patterns to detect potential exploitation attempts. The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and maps to ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing via social media. Organizations should conduct comprehensive security assessments of their Frappe deployments and review all custom API endpoints for similar authorization gaps. Regular security testing and code reviews should be implemented to prevent similar issues in future development cycles, ensuring that proper access control mechanisms are consistently enforced throughout the application architecture.