CVE-2026-31017
Published: 08 April 2026
Summary
CVE-2026-31017 is a critical-severity SSRF (CWE-918) vulnerability in Frappe Erpnext. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of user-supplied HTML to block dangerous elements like <iframe> before PDF rendering, directly preventing SSRF exploitation.
Monitors and controls outbound communications at system boundaries to block unauthorized server-side HTTP requests to internal services from the PDF renderer.
Enforces information flow control policies to restrict the application's ability to initiate unauthorized requests to internal endpoints based on user-controlled inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing ERPNext/Frappe web app directly enables remote exploitation (T1190); description explicitly highlights forced server-side requests to cloud metadata endpoints, enabling both metadata API access (T1522) and unsecured credential retrieval (T1552.005).
NVD Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows…
more
the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.
Deeper analysisAI
A Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-31017 and associated with CWE-918, affects the Print Format functionality in ERPNext version 16.0.1 and Frappe Framework version 16.1.1. The issue arises because user-supplied HTML is insufficiently sanitized before being rendered into PDF. This allows the inclusion of HTML elements, such as <iframe>, that reference external resources. The PDF rendering engine then automatically fetches these resources on the server side, enabling SSRF. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Any unauthenticated remote attacker can exploit this vulnerability by supplying malicious HTML content for PDF generation. By embedding references to arbitrary internal services—such as cloud metadata endpoints—the attacker forces the server to make unintended HTTP requests. This can result in the disclosure of sensitive information or further compromise of internal network resources, with high impact on confidentiality and integrity but no direct availability disruption.
Mitigation details and additional advisories are available in the referenced sources, including the Frappe website at http://frappe.com and a GitHub repository at https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017.
Details
- CWE(s)