CVE-2026-29077 Overview
CVE-2026-29077 is a Broken Access Control vulnerability in Frappe, a full-stack web application framework. Due to insufficient validation when sharing documents, an authenticated user could share a document with permission levels that exceed their own access rights. This improper access control flaw (CWE-284) allows privilege escalation through the document sharing mechanism.
Critical Impact
Authenticated users can bypass permission restrictions by sharing documents with higher privileges than they possess, potentially exposing sensitive data and enabling unauthorized modifications.
Affected Products
- Frappe Framework versions prior to 15.98.0
- Frappe Framework versions prior to 14.100.0
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-29077 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-29077
Vulnerability Analysis
This vulnerability exists in Frappe's document sharing functionality. The framework fails to properly validate whether the user initiating a document share action actually possesses the permission level they are attempting to grant to another user. This creates a privilege escalation pathway where a user with limited permissions (such as read-only access) could share a document with write or delete permissions to another user or even themselves through alternate accounts.
The flaw enables horizontal and vertical privilege escalation scenarios. An attacker with minimal access to a Frappe-based application could systematically elevate their privileges across multiple documents and data types, potentially gaining administrative-level access to sensitive business data.
Root Cause
The root cause is improper access control (CWE-284) in the document sharing validation logic. When a share request is processed, the application does not verify that the requesting user has the permissions they are attempting to share. The validation only checks if the user can access the document, not whether their permission level meets or exceeds the permission being granted.
Attack Vector
The attack is network-based and requires low-privilege authentication. An attacker would:
- Authenticate to a Frappe-based application with any valid user account
- Access a document they have limited permissions on (e.g., read-only)
- Use the share functionality to grant elevated permissions (e.g., write, delete) to a target user
- The target user (which could be an alternate account controlled by the attacker) now has elevated access
The vulnerability does not require user interaction and has no impact on availability, but poses significant risks to data confidentiality and integrity. An attacker could use this to exfiltrate sensitive information or modify critical business documents.
Detection Methods for CVE-2026-29077
Indicators of Compromise
- Unusual document sharing activity where permissions granted exceed the sharer's own access level
- Multiple share operations from accounts with limited privileges granting elevated access
- Audit logs showing permission grants that don't align with the user's role-based access
Detection Strategies
- Monitor application audit logs for document share events and correlate with user permission levels
- Implement alerting for share operations where the granted permission exceeds the sharer's documented access rights
- Review database tables related to document sharing for anomalous permission entries
Monitoring Recommendations
- Enable verbose logging on Frappe's document sharing API endpoints
- Deploy application-layer monitoring to track permission changes and sharing activities
- Establish baseline sharing patterns and alert on deviations
How to Mitigate CVE-2026-29077
Immediate Actions Required
- Upgrade Frappe Framework to version 15.98.0 or later (for 15.x branch)
- Upgrade Frappe Framework to version 14.100.0 or later (for 14.x branch)
- Audit existing document shares for permission escalation that may have already occurred
- Review user accounts for suspicious sharing activity patterns
Patch Information
The vulnerability has been patched in Frappe Framework versions 15.98.0 and 14.100.0. The fix implements proper validation to ensure users cannot share documents with permissions exceeding their own access level. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Temporarily restrict document sharing capabilities for non-administrative users until patches can be applied
- Implement network-level access controls to limit exposure of Frappe applications
- Review and tighten role-based access controls to minimize the potential impact of privilege escalation
- Consider implementing additional application-level validation for share operations through custom hooks
# Upgrade Frappe to patched version
bench update --apps frappe
bench migrate
# Verify installed version
bench version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
