CVE-2026-47199 in Frappe
Summary
by MITRE • 07/10/2026
Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in versions 16.18.3 and 15.108.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/11/2026
The vulnerability in Frappe framework represents a critical database access control flaw that stems from insufficient validation of SQL query constructs within the check_safe_sql_query function. This weakness specifically allows malicious actors to execute SELECT INTO OUTFILE statements, which are typically restricted database operations designed to write query results directly to files on the server filesystem. The vulnerability exists in versions prior to 16.18.3 and 15.108.0 where the security validation logic fails to properly sanitize or reject these particular SQL constructs despite their potential for severe exploitation.
The technical implementation of this flaw relies on the MySQL database's FILE privilege system, which controls whether users can write files to the server filesystem using operations like SELECT INTO OUTFILE. When database permissions are improperly configured and the MySQL user account has FILE privileges enabled, attackers can leverage this vulnerability to extract sensitive data from the database and potentially write malicious payloads to disk. The security boundary is breached because the check_safe_sql_query function does not adequately distinguish between legitimate and dangerous SQL operations, allowing what should be restricted administrative commands to pass through validation mechanisms.
From an operational impact perspective, this vulnerability creates significant risk for self-hosted Frappe applications where database security configurations may not align with best practices. Attackers could potentially exfiltrate sensitive data such as user credentials, personal information, financial records, or proprietary business data directly from the database server without proper authorization. The exploitation requires minimal privileges beyond basic database access and knowledge of the target application's structure, making it particularly dangerous in environments where database permissions are overly permissive or poorly managed.
The fix implemented in versions 16.18.3 and 15.108.0 addresses this through enhanced input validation that explicitly blocks SELECT INTO OUTFILE and similar potentially dangerous SQL operations from being executed through the framework's query interface. This remediation aligns with security best practices outlined in CWE-74 and CWE-94, which address improper neutralization of special elements used in data queries and injection flaws respectively. Organizations should implement this patch immediately to prevent exploitation and consider additional security measures such as database privilege hardening, regular security audits of database configurations, and monitoring for suspicious file system activities that could indicate successful exploitation attempts.
The vulnerability demonstrates the importance of defense-in-depth security practices in web application frameworks where database interactions require careful validation and sanitization. It also highlights how seemingly minor oversights in input validation can create significant attack vectors, particularly when applications interact directly with backend databases using user-provided inputs. Security teams should conduct comprehensive assessments of their Frappe installations to ensure proper patching and verify that database permissions are appropriately restricted according to the principle of least privilege as recommended by various cybersecurity frameworks including NIST SP 800-53 and ISO 27001 standards.