CVE-2026-44207
MEDIUMFrappe: Insecure Direct Object Reference for email accounts
Title source: cnaDescription
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74
Scores
CVSS v4
6.9
EPSS
0.0032
EPSS Percentile
23.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
frappe/frappe
< 15.107.0
frappe/frappe
< 16.17.0
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026