CVE-2026-47422 in Frappeinfo

Summary

by MITRE • 07/10/2026

Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The Frappe web application framework presents a critical access control vulnerability that affects versions prior to 15.107.5 and 16.18.2. This flaw resides within the reportview endpoint functionality, which serves as a core component for data visualization and reporting capabilities within the platform. The vulnerability stems from insufficient authorization validation mechanisms that fail to properly verify user permissions before executing sensitive operations. Attackers can exploit this weakness to gain unauthorized access to restricted data and reporting functionalities that should only be available to authorized personnel with appropriate privileges.

The technical implementation of this vulnerability demonstrates a classic permission bypass flaw that aligns with CWE-285, which addresses improper authorization in software systems. The reportview endpoint fails to validate whether the requesting user possesses adequate permissions to access specific reports or datasets, creating an avenue for privilege escalation attacks. This weakness exists at the application logic level where authentication and authorization checks are either absent or inadequately implemented, allowing malicious actors to manipulate API calls or direct requests to retrieve information they should not be authorized to access. The flaw represents a fundamental breakdown in the framework's security model that undermines the integrity of the entire system.

The operational impact of this vulnerability extends beyond simple data exposure, as it enables attackers to potentially access sensitive business intelligence, financial reports, user data, and other confidential information stored within the Frappe application environment. Security researchers have identified that this vulnerability could be leveraged in conjunction with other attack vectors to achieve more comprehensive system compromise, making it particularly dangerous in enterprise environments where the framework handles critical organizational data. The exploitation of this flaw can result in significant financial losses, regulatory compliance violations, and reputational damage for organizations relying on the Frappe platform.

Organizations utilizing Frappe frameworks must implement immediate remediation measures by upgrading to version 15.107.5 or 16.18.2 where the vulnerability has been addressed through proper permission validation mechanisms. Security teams should conduct comprehensive audits of all reportview endpoints and related functionalities to ensure no unauthorized access paths remain available. The mitigation strategy should include implementing robust input validation, enforcing strict role-based access controls, and establishing monitoring protocols to detect anomalous access patterns that might indicate exploitation attempts. Additionally, organizations should consider implementing network-level restrictions and API rate limiting to reduce the attack surface and prevent automated exploitation of this vulnerability. This remediation aligns with ATT&CK technique T1078 which addresses valid accounts and privilege escalation through unauthorized access to system resources.

Responsible

GitHub M

Reservation

05/19/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!