Frappe up to 14.99.x/15.97.x access control

Summaryinfo

A vulnerability was found in Frappe up to 14.99.x/15.97.x. It has been declared as critical. This impacts an unknown function. Such manipulation leads to access control. This vulnerability is uniquely identified as CVE-2026-29077. The attack can be launched remotely. No exploit exists. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Frappe up to 14.99.x/15.97.x. Affected by this issue is some unknown processing. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.

The advisory is shared for download at github.com. This vulnerability is handled as CVE-2026-29077 since 03/03/2026. The exploitation is known to be easy. The attack may be launched remotely. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

Upgrading to version 14.100.0 or 15.98.0 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Frappe

Version

• 14.0
• 14.1
• 14.2
• 14.3
• 14.4
• 14.5
• 14.6
• 14.7
• 14.8
• 14.9
• 14.10
• 14.11
• 14.12
• 14.13
• 14.14
• 14.15
• 14.16
• 14.17
• 14.18
• 14.19
• 14.20
• 14.21
• 14.22
• 14.23
• 14.24
• 14.25
• 14.26
• 14.27
• 14.28
• 14.29
• 14.30
• 14.31
• 14.32
• 14.33
• 14.34
• 14.35
• 14.36
• 14.37
• 14.38
• 14.39
• 14.40
• 14.41
• 14.42
• 14.43
• 14.44
• 14.45
• 14.46
• 14.47
• 14.48
• 14.49
• 14.50
• 14.51
• 14.52
• 14.53
• 14.54
• 14.55
• 14.56
• 14.57
• 14.58
• 14.59
• 14.60
• 14.61
• 14.62
• 14.63
• 14.64
• 14.65
• 14.66
• 14.67
• 14.68
• 14.69
• 14.70
• 14.71
• 14.72
• 14.73
• 14.74
• 14.75
• 14.76
• 14.77
• 14.78
• 14.79
• 14.80
• 14.81
• 14.82
• 14.83
• 14.84
• 14.85
• 14.86
• 14.87
• 14.88
• 14.89
• 14.90
• 14.91
• 14.92
• 14.93
• 14.94
• 14.95
• 14.96
• 14.97
• 14.98
• 14.99
• 15.0
• 15.1
• 15.2
• 15.3
• 15.4
• 15.5
• 15.6
• 15.7
• 15.8
• 15.9
• 15.10
• 15.11
• 15.12
• 15.13
• 15.14
• 15.15
• 15.16
• 15.17
• 15.18
• 15.19
• 15.20
• 15.21
• 15.22
• 15.23
• 15.24
• 15.25
• 15.26
• 15.27
• 15.28
• 15.29
• 15.30
• 15.31
• 15.32
• 15.33
• 15.34
• 15.35
• 15.36
• 15.37
• 15.38
• 15.39
• 15.40
• 15.41
• 15.42
• 15.43
• 15.44
• 15.45
• 15.46
• 15.47
• 15.48
• 15.49
• 15.50
• 15.51
• 15.52
• 15.53
• 15.54
• 15.55
• 15.56
• 15.57
• 15.58
• 15.59
• 15.60
• 15.61
• 15.62
• 15.63
• 15.64
• 15.65
• 15.66
• 15.67
• 15.68
• 15.69
• 15.70
• 15.71
• 15.72
• 15.73
• 15.74
• 15.75
• 15.76
• 15.77
• 15.78
• 15.79
• 15.80
• 15.81
• 15.82
• 15.83
• 15.84
• 15.85
• 15.86
• 15.87
• 15.88
• 15.89
• 15.90
• 15.91
• 15.92
• 15.93
• 15.94
• 15.95
• 15.96
• 15.97

Website

• Product: https://github.com/frappe/frappe/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion