CVE-2026-39352 Overview
CVE-2026-39352 is a path traversal vulnerability in Frappe, a full-stack Python and JavaScript web application framework. Versions prior to 15.105.0 and 16.15.0 allow an unauthenticated attacker to read arbitrary files from the host filesystem. The vulnerability is classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory). Maintainers resolved the issue in Frappe 15.105.0 and 16.15.0.
Critical Impact
Remote, unauthenticated attackers can read sensitive files on the server, including configuration files, credentials, and application source code.
Affected Products
- Frappe Framework versions prior to 15.105.0
- Frappe Framework versions prior to 16.15.0
- Downstream applications built on vulnerable Frappe releases (including ERPNext deployments)
Discovery Timeline
- 2026-05-20 - CVE-2026-39352 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-39352
Vulnerability Analysis
The vulnerability allows an attacker to traverse outside the intended directory and read files the web application can access. Path traversal flaws occur when user-supplied input is concatenated into a filesystem path without normalization or containment checks. Successful exploitation yields confidentiality impact without requiring authentication or user interaction.
The attack is delivered over the network against the Frappe HTTP interface. Because Frappe powers business platforms such as ERPNext, exposed files frequently include site configuration, database credentials in site_config.json, private file attachments, and signed key material. Read-only access to these resources often enables follow-on attacks against connected services.
Root Cause
The root cause is improper sanitization of a path component handled by Frappe before opening a file on disk. Sequences such as ../ are not stripped or rejected, allowing the resolved path to escape the intended base directory. The Frappe maintainers addressed the issue in versions 15.105.0 and 16.15.0. See the GitHub Security Advisory GHSA-67rf-pxgh-vfqv for advisory details.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request to the Frappe application. The request supplies a filename or path parameter containing traversal sequences. Frappe resolves the path relative to a privileged directory and returns the file contents. No prior credentials, tokens, or user interaction are required. Technical details are documented in the upstream Frappe v16.15.0 release notes.
Detection Methods for CVE-2026-39352
Indicators of Compromise
- HTTP requests containing ../, ..%2f, %2e%2e/, or other encoded traversal sequences targeting Frappe endpoints
- Web server access logs showing 200 responses for requests referencing files outside the Frappe sites directory
- Unexpected reads of site_config.json, .env, SSH keys, or /etc/passwd from the Frappe process
- Outbound requests from the Frappe host shortly after suspicious file-read activity, indicating credential reuse
Detection Strategies
- Inspect reverse proxy and Nginx logs for traversal patterns in query strings and path parameters directed at Frappe routes
- Deploy WAF rules that decode URL-encoded input and block normalized paths containing .. segments
- Audit Frappe application logs for file open operations resolving outside the configured sites/ directory
Monitoring Recommendations
- Alert on access to sensitive configuration files by the Frappe application user account
- Monitor for anomalous spikes in file-serving endpoints, particularly those accepting filename parameters
- Correlate web request patterns with subsequent authentication attempts using leaked credentials
How to Mitigate CVE-2026-39352
Immediate Actions Required
- Upgrade Frappe to version 15.105.0, 16.15.0, or later as documented in the v16.15.0 release notes
- Rotate credentials, API keys, and secrets stored in site_config.json and environment files on potentially exposed hosts
- Review web server access logs for traversal patterns prior to the upgrade date
Patch Information
The Frappe maintainers released fixes in versions 15.105.0 and 16.15.0. Administrators using the bench tooling should run bench update to pull the patched release, then restart the Frappe and worker processes. ERPNext deployments must align Frappe and ERPNext versions per the upstream compatibility matrix.
Workarounds
- Place a WAF or reverse proxy in front of Frappe with rules blocking decoded ../ sequences in all request components
- Restrict the Frappe process file system permissions so it cannot read sensitive system files or unrelated application data
- Limit network exposure of the Frappe interface to trusted networks until patching is complete
# Upgrade Frappe via bench to a patched release
bench update --reset
bench --site all migrate
bench restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
