Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44975

CVE-2026-44975: Frappe Framework Auth Bypass Vulnerability

CVE-2026-44975 is an authentication bypass flaw in Frappe Framework allowing authenticated users to reset onboarding for all system users. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-44975 Overview

CVE-2026-44975 is a missing authorization vulnerability [CWE-862] in the Frappe full-stack web application framework. Any authenticated user can reset onboarding state for all users in the system. The issue affects versions prior to 15.107.2 and 16.17.4. Frappe maintainers patched the flaw in releases 15.107.2 and 16.17.4.

The vulnerability allows low-privilege accounts to invoke a privileged operation that should be restricted to administrators. Exploitation requires only valid credentials and network access to the Frappe application.

Critical Impact

Authenticated low-privilege users can reset onboarding for every user in the system, disrupting workflows and forcing unwanted user interface state changes.

Affected Products

  • Frappe Framework versions prior to 15.107.2
  • Frappe Framework versions prior to 16.17.4
  • Applications built on the Frappe framework, including ERPNext deployments

Discovery Timeline

  • 2026-06-12 - CVE-2026-44975 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-44975

Vulnerability Analysis

Frappe exposes a server-side function that resets the onboarding flag for users. The function lacks proper authorization checks, classifying the flaw under [CWE-862] Missing Authorization. Any session-authenticated user can call the endpoint and trigger the reset on accounts they do not own.

The impact is limited to integrity of onboarding state. Confidentiality and availability are not directly affected. The CVSS 4.0 vector reflects low integrity impact with no confidentiality or availability consequences.

Resetting onboarding for all users can be used to harass administrators, mask other malicious activity, or generate noise across audit logs. Because the action targets every account in the system, a single request can affect the entire user base.

Root Cause

The root cause is an absent permission check on the onboarding reset operation. The framework treats authentication as sufficient authorization, allowing any logged-in role to execute an action intended for privileged users. This violates the principle of least privilege and the Frappe permission model.

Attack Vector

The attack vector is network-based and requires low privileges. An attacker with any valid Frappe user account submits a request to the unprotected whitelisted method. The server processes the request without verifying role membership and applies the reset across all user records.

No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-9cxj-48g3-jx22 for vendor-confirmed technical details.

Detection Methods for CVE-2026-44975

Indicators of Compromise

  • Unexpected resets of the User.onboarding_status or equivalent onboarding fields across multiple accounts.
  • Application logs showing calls to onboarding reset methods originating from non-administrator sessions.
  • Sudden spike in users reporting that the onboarding tour or setup wizard has reappeared.

Detection Strategies

  • Audit Frappe application logs for invocations of whitelisted onboarding reset endpoints by users without the System Manager role.
  • Correlate session identifiers with affected user records to identify the originating account.
  • Review database change history on user onboarding fields to detect bulk modifications within short time windows.

Monitoring Recommendations

  • Enable verbose request logging for whitelisted methods related to user state management.
  • Forward Frappe access and error logs to a centralized SIEM for correlation with authentication events.
  • Alert on any single authenticated session triggering writes to more than one user record within a brief interval.

How to Mitigate CVE-2026-44975

Immediate Actions Required

  • Upgrade Frappe to version 15.107.2 or 16.17.4 or later as published by the maintainers.
  • Review active user accounts and revoke credentials that are no longer required.
  • Inspect application logs for prior calls to onboarding reset functionality by non-administrative users.

Patch Information

The Frappe maintainers fixed CVE-2026-44975 in versions 15.107.2 and 16.17.4. The patch adds the missing authorization check to the affected method. Refer to the GitHub Security Advisory GHSA-9cxj-48g3-jx22 for upgrade guidance.

Workarounds

  • Restrict network access to the Frappe application to trusted users until the patch is applied.
  • Audit and minimize the set of accounts with active sessions while the system is unpatched.
  • Monitor onboarding-related fields for unauthorized changes and revert affected records from backups if abuse is detected.
bash
# Upgrade Frappe to a patched release
bench switch-to-branch version-15 frappe --upgrade
bench update --reset
# Verify installed version is 15.107.2 or 16.17.4 or later
bench version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne