CVE-2026-49394 in Frappeinfo

Summary

by MITRE • 07/10/2026

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability identified in Frappe web application framework affects versions prior to 16.19.0 and represents a critical authorization bypass flaw that undermines the security model of workspace management functionality. This issue specifically impacts the update_page endpoint within the Workspace component where public workspaces fail to undergo proper authorization verification. The flaw stems from insufficient access control checks that should prevent unauthorized modifications to workspace content, particularly when dealing with public-facing workspace configurations.

The technical implementation of this vulnerability resides in the Workspace Manager's edit validation process which fails to properly verify user permissions for public workspaces. When users attempt to update pages through the update_page endpoint, the system does not adequately enforce the required Workspace Manager edit privileges that should be mandatory for any modifications. This creates a scenario where unauthorized individuals can potentially modify workspace content without proper authorization, effectively bypassing the intended security controls that separate public and private workspace access levels.

From an operational perspective, this authorization bypass vulnerability presents significant risks to organizations relying on Frappe's workspace functionality for content management and collaboration. Attackers could exploit this flaw to modify public workspace pages, inject malicious content, or alter configuration settings that affect multiple users. The impact extends beyond simple content modification as it potentially allows for privilege escalation within the workspace environment, enabling attackers to gain deeper access to system resources or manipulate workflow processes that depend on workspace integrity.

The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and demonstrates a clear failure in implementing proper access controls. From an ATT&CK framework perspective, this represents a privilege escalation technique that could lead to further exploitation opportunities within the application environment. Organizations should prioritize immediate remediation through the upgrade to version 16.19.0 where the Workspace Manager edit checks have been properly implemented and enforced for all workspace types including public configurations.

Mitigation strategies should include comprehensive testing of authorization controls following the upgrade, implementation of network segmentation for workspace-related endpoints, and monitoring for unauthorized modifications to workspace content. Security teams should also conduct thorough access control reviews to ensure no other similar bypass vulnerabilities exist within the application's permission model, particularly focusing on endpoints that handle workspace management operations. Regular security assessments and penetration testing of workspace functionality will help identify potential authorization gaps before they can be exploited in production environments.

Responsible

GitHub M

Reservation

05/29/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!