CVE-2026-39351

Critical

Published: 07 April 2026

Published

07 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 13.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39351 is a critical-severity Missing Authorization (CWE-862) vulnerability in Frappe Frappe. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing the unrestricted Doctype access via the Frappe API exploit.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of system flaws like the missing authorization in Frappe versions prior to 16.14.0 and 15.104.0.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict access to only necessary functions, limiting the impact of unauthorized Doctype reads and modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a missing authorization flaw in the public-facing API of a web application framework, directly enabling remote unauthenticated exploitation of the application to access or modify restricted data and structures.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

Deeper analysisAI

CVE-2026-39351 is a vulnerability in Frappe, a full-stack web application framework, that allows unrestricted Doctype access via an API exploit. It affects versions prior to 16.14.0 and 15.104.0. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Successful exploitation grants unauthorized access to restricted Doctypes through the API, potentially allowing attackers to read sensitive data or modify application structures and content without authentication.

The GitHub Security Advisory at https://github.com/frappe/frappe/security/advisories/GHSA-8ggw-hfr6-rw3x details the issue, recommending upgrades to Frappe version 16.14.0 or 15.104.0 to mitigate the vulnerability by enforcing proper Doctype access controls.

Details

CWE(s): CWE-862

Affected Products

frappe

≤ 15.104.0 · 16.0.0 — 16.14.0

CVEs Like This One

CVE-2025-30212Same product: Frappe Frappe

CVE-2026-35614Same product: Frappe Frappe

CVE-2025-30213Same product: Frappe Frappe

CVE-2025-68929Same product: Frappe Frappe

CVE-2026-31877Same product: Frappe Frappe

CVE-2025-30214Same product: Frappe Frappe

CVE-2026-28436Same product: Frappe Frappe

CVE-2025-30217Same product: Frappe Frappe

CVE-2025-67289Same product: Frappe Frappe

CVE-2026-29077Same product: Frappe Frappe

References

https://github.com/frappe/frappe/security/advisories/GHSA-8ggw-hfr6-rw3x
Vendor Advisory · security-advisories@github.com