CVE-2026-44207 Overview
CVE-2026-44207 is an Insecure Direct Object Reference (IDOR) vulnerability in Frappe, a full-stack web application framework that underpins ERPNext and other business applications. The flaw lets authenticated users access other users' email configuration details by manipulating object references in requests. The vulnerability affects Frappe versions prior to 15.107.0 and 16.17.0. Maintainers patched the issue in versions 15.107.0 and 16.17.0. The weakness maps to [CWE-639]: Authorization Bypass Through User-Controlled Key.
Critical Impact
Authenticated attackers can retrieve email configuration details belonging to other Frappe users, exposing credentials and SMTP/IMAP settings that may enable further account takeover.
Affected Products
- Frappe Framework versions prior to 15.107.0
- Frappe Framework versions prior to 16.17.0
- Downstream deployments including ERPNext that bundle vulnerable Frappe releases
Discovery Timeline
- 2026-06-12 - CVE-2026-44207 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-44207
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference issue in Frappe's email configuration endpoints. Frappe accepts a user-supplied identifier when retrieving email account records but fails to verify that the requesting user owns the referenced record. As a result, any authenticated user can query email configuration documents belonging to other accounts.
Email account documents in Frappe typically store SMTP and IMAP server addresses, ports, authentication usernames, and related connection metadata. Disclosure of these values gives attackers the inputs needed to target external mail systems or pivot using leaked credentials. The vector requires network access and a valid authenticated session, with no user interaction beyond the attacker's own request.
Root Cause
The root cause is missing object-level authorization on email configuration reads. Frappe's permission layer did not enforce that the authenticated principal matched the owner or an authorized role for the requested email account document. This is a textbook [CWE-639] flaw where access control depends on the secrecy of identifiers rather than enforced ownership checks.
Attack Vector
An authenticated attacker submits a request to the Frappe email configuration endpoint and substitutes another user's document identifier. The server returns the target's email account configuration without verifying authorization. Exploitation requires only a low-privilege account on the target Frappe instance and produces direct disclosure of configuration data on success.
No verified public proof-of-concept code is available. Review the GitHub Security Advisory GHSA-cw6v-39qx-7r74 for vendor-supplied technical detail.
Detection Methods for CVE-2026-44207
Indicators of Compromise
- Authenticated requests to Frappe email account endpoints referencing document identifiers the requesting user does not own
- Unusual volumes of Email Account document reads from a single session or API token
- Access patterns where one user enumerates sequential or wide ranges of email account record names
Detection Strategies
- Correlate Frappe application logs with user identity to flag reads of Email Account documents where the requesting user is not the owner or an administrator
- Inspect web server and reverse proxy logs for parameter tampering against /api/method/frappe.client.get and related email configuration routes
- Baseline normal email configuration access per role and alert on deviations
Monitoring Recommendations
- Forward Frappe and web server logs to a central SIEM or data lake and retain identity-tagged access events for retrospective hunting
- Monitor outbound connections from hosts whose SMTP or IMAP credentials may have been disclosed for signs of credential reuse
- Track upgrades and version inventory of Frappe and ERPNext deployments to confirm patched builds are in production
How to Mitigate CVE-2026-44207
Immediate Actions Required
- Upgrade Frappe to version 15.107.0 or 16.17.0, or later, on all instances
- Rotate SMTP, IMAP, and OAuth credentials stored in email account documents on instances that ran vulnerable versions
- Audit recent access logs for unauthorized reads of email configuration records and review user accounts created or escalated during the exposure window
Patch Information
The Frappe maintainers fixed the IDOR in versions 15.107.0 and 16.17.0. The fix enforces ownership and permission checks on email account document reads. Refer to the Frappe Security Advisory GHSA-cw6v-39qx-7r74 for the canonical patch reference.
Workarounds
- Restrict access to the Frappe instance to trusted networks while upgrades are scheduled
- Reduce the number of authenticated users with API access until patched versions are deployed
- Apply tighter role-based permissions on the Email Account doctype where supported by the deployment
# Upgrade Frappe to a patched release using bench
bench update --reset
bench --site all migrate
bench version | grep frappe
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

