CVE-2026-41317 Overview
CVE-2026-41317 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Frappe Press, a custom application that powers Frappe Cloud infrastructure, subscriptions, marketplace functionality, and software-as-a-service (SaaS) operations. The vulnerable endpoint press.api.account.create_api_secret accepts GET requests and writes to the database, making it susceptible to CSRF-like exploitation.
Critical Impact
An attacker could trick an authenticated user into unknowingly creating API secrets through a malicious link or embedded request, potentially leading to unauthorized API key generation and integrity compromise of user accounts.
Affected Products
- Frappe Press (versions prior to commit 52ea2f2d1b587be0807557e96f025f47897d00fd)
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-41317 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-41317
Vulnerability Analysis
This vulnerability exists due to improper HTTP method enforcement on a state-changing API endpoint. The create_api_secret function in press/api/account.py was decorated with @frappe.whitelist() without restricting the allowed HTTP methods. This design flaw allowed the endpoint to respond to GET requests, which is contrary to REST API security best practices where state-changing operations should only be accessible via POST, PUT, PATCH, or DELETE methods.
The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). When a sensitive operation accepts GET requests, attackers can embed malicious requests in image tags, iframes, or simple hyperlinks that execute automatically when a victim visits an attacker-controlled page or clicks a crafted link.
Root Cause
The root cause is the absence of HTTP method restrictions on the create_api_secret endpoint. The Frappe @frappe.whitelist() decorator, when used without the methods parameter, allows the decorated function to be called via any HTTP method including GET. Since the endpoint performs database write operations (generating and saving API keys and secrets), accepting GET requests violates the principle that safe methods (GET, HEAD, OPTIONS) should not have side effects.
Attack Vector
The attack vector is network-based, requiring no authentication from the attacker's perspective. An authenticated Frappe Press user could be targeted through:
- A malicious webpage containing an embedded request (e.g., <img src="https://target-frappe-instance/api/method/press.api.account.create_api_secret">)
- A crafted link sent via email, chat, or social media
- Any scenario where the victim's browser makes a request to the vulnerable endpoint while maintaining an active session
When triggered, the endpoint would create new API credentials for the victim's account without their explicit consent.
# Security patch in press/api/account.py
# Source: https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd
key.save()
-@frappe.whitelist()
+@frappe.whitelist(methods=["POST"])
def create_api_secret():
user = frappe.get_doc("User", frappe.session.user)
-
- api_key = user.api_key
+ user.api_key = user.api_key or frappe.generate_hash()
api_secret = frappe.generate_hash()
-
- if not api_key:
- api_key = frappe.generate_hash()
- user.api_key = api_key
-
user.api_secret = api_secret
user.save(ignore_permissions=True)
-
- return {"api_key": api_key, "api_secret": api_secret}
+ return {
+ "api_key": user.api_key,
+ "api_secret": api_secret,
+ }
@frappe.whitelist()
Source: GitHub Commit Update
Detection Methods for CVE-2026-41317
Indicators of Compromise
- Unexpected API secret regeneration events in user account activity logs
- GET requests to /api/method/press.api.account.create_api_secret endpoint in web server access logs
- Multiple API credential changes without corresponding user-initiated actions in the web interface
Detection Strategies
- Monitor web server access logs for GET requests targeting the press.api.account.create_api_secret endpoint
- Implement anomaly detection for unusual patterns of API key generation, particularly multiple creations in short time periods
- Review audit logs for API secret creation events that lack corresponding user interface interactions
Monitoring Recommendations
- Enable detailed request logging on Frappe application servers to capture HTTP methods and referrer headers
- Set up alerts for API credential modifications and correlate with user session activity
- Implement referrer validation monitoring to detect cross-origin requests to sensitive endpoints
How to Mitigate CVE-2026-41317
Immediate Actions Required
- Update Frappe Press to a version containing commit 52ea2f2d1b587be0807557e96f025f47897d00fd or later
- Review recent API key generation activity across all user accounts to identify potential unauthorized credential creation
- Consider rotating API credentials for accounts where suspicious activity is detected
Patch Information
The vulnerability has been addressed in commit 52ea2f2d1b587be0807557e96f025f47897d00fd. The fix modifies the @frappe.whitelist() decorator to include methods=["POST"], ensuring the endpoint only accepts POST requests. Organizations running Frappe Press should pull the latest changes from the official repository or apply the specific commit. For detailed information, refer to the GitHub Security Advisory.
Workarounds
- Implement a web application firewall (WAF) rule to block GET requests to the /api/method/press.api.account.create_api_secret endpoint
- Apply reverse proxy configuration to reject non-POST requests to the vulnerable endpoint until the patch can be deployed
- Consider temporarily disabling the API secret creation feature if it is not critical to operations
# Nginx configuration to block GET requests to vulnerable endpoint
location /api/method/press.api.account.create_api_secret {
if ($request_method = GET) {
return 405;
}
proxy_pass http://frappe_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
