CVE-2026-48127 in Frappe
Summary
by MITRE • 07/11/2026
Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as add_attachments. This issue is fixed in versions 16.20.0 and 15.110.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/11/2026
The vulnerability in Frappe web application framework represents a critical access control flaw that allows unauthorized users to upload files to any document type within the system. This security weakness stems from insufficient validation of user permissions when processing file attachment requests through the add_attachments API endpoint. The flaw exists in versions prior to 16.20.0 and 15.110.0, where the framework fails to properly verify whether the requesting user possesses adequate write privileges before permitting file uploads to arbitrary doctypes. This represents a direct violation of the principle of least privilege and demonstrates a significant failure in the application's authorization mechanisms.
The technical implementation of this vulnerability allows malicious actors with read-only or limited access permissions to bypass normal file upload restrictions by directly calling the file handling API endpoints. When users submit requests to add_attachments, the system should validate that the authenticated user has write access to the target doctype before processing the file upload operation. However, in vulnerable versions, this validation check is either absent or inadequately implemented, enabling attackers to attach files to any document type regardless of their assigned permissions. This flaw falls under CWE-284 which specifically addresses improper access control and weak access control mechanisms in software applications.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, as it could enable attackers to manipulate system data through malicious file attachments. Depending on the application configuration and the nature of the doctypes involved, threat actors might be able to attach executable files, malware payloads, or sensitive documents that could compromise system integrity and confidentiality. The vulnerability also creates potential for data exfiltration scenarios where attackers can attach files containing sensitive information to document types they should not normally access. From an attacker's perspective, this represents a low-effort path to escalate privileges and gain unauthorized control over system resources.
Security mitigations for this vulnerability require immediate implementation of version updates to 16.20.0 or 15.110.0 where the access control checks have been properly implemented. Organizations should also conduct thorough security assessments to identify any potential abuse of this vulnerability that may have occurred prior to patching. Additional defensive measures include implementing network-level restrictions on file upload endpoints, monitoring for unusual file attachment patterns, and conducting regular permission audits to ensure proper access controls remain in place. The fix addresses the underlying issue by enforcing proper authorization checks before allowing file attachments, aligning with the ATT&CK technique T1078 which covers valid accounts and privilege escalation through unauthorized access to system resources.