{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39351", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.394Z", "datePublished": "2026-04-07T18:52:01.531Z", "dateUpdated": "2026-04-07T18:52:01.531Z"}, "containers": {"cna": {"title": "Frappe allows unrestricted Doctype access via API exploit", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-8ggw-hfr6-rw3x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-8ggw-hfr6-rw3x"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": "< 15.104.0", "status": "affected"}, {"version": ">= 16.0.0-beta.1, < 16.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T18:52:01.531Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit."}], "source": {"advisory": "GHSA-8ggw-hfr6-rw3x", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit."}], "id": "CVE-2026-39351", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T19:16:46.213", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/frappe/frappe/security/advisories/GHSA-8ggw-hfr6-rw3x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.104.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0-beta.1,16.14.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frappe", "source": "cna", "vendor": "frappe"}, "product": "frappe", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-07T22:43:09.405360+00:00", "value": {"mitigation_remediation": ["Upgrade Frappe to version 16.14.0 or 15.104.0 or newer to eliminate the unauthorized Doctype access flaw.", "Verify that all API endpoints are protected by role\u2011based access control and that only authorized users can perform Doctype operations.", "Monitor and audit API usage logs for signs of unauthorized access attempts.", "If an immediate upgrade is not possible, restrict API access to trusted IP ranges or enforce stricter authentication before allowing Doctype operations."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted Doctype access via API"}, "threat_synthesis": {"affected_systems": "This issue affects the Frappe web application framework from any vendor that uses the open\u2011source edition. All installations running versions earlier than 16.14.0 or 15.104.0 are vulnerable. The framework is used in industries such as ERP, CRM, and internal tooling; any host running the affected code is at risk.", "description_and_impact": "The vulnerability permits unrestricted access to any Doctype via Frappe's API. This lack of authorization control enables an attacker to read or modify sensitive data stored in database tables when the API is exposed. The weakness is classified as an authorization bypass (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate to high severity. EPSS data is unavailable and the flaw is not listed in CISA's KEV catalog. Based on the description, it is inferred that an attacker could exploit the flaw by sending crafted API requests to an exposed endpoint; no additional prerequisites are described. The risk remains significant for deployments that expose the API to untrusted networks."}}}}, "created": "2026-04-08T19:34:55.570419+00:00", "updated": "2026-04-08T19:46:33.469836+00:00", "vendors": ["frappe", "frappe$PRODUCT$frappe"]}