CVE-2026-41317
Published: 24 April 2026
Summary
CVE-2026-41317 is a medium-severity CSRF (CWE-352) vulnerability in Frappe Press. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-41317 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the Press custom app for Frappe, which powers Frappe Cloud and handles infrastructure management, subscriptions, marketplace operations, and software-as-a-service (SaaS) functionalities. The issue resides in the `press.api.account.create_api_secret` API endpoint, which performs database writes but was accessible via the GET method, enabling CSRF-like exploits. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting high integrity impact with no authentication or user interaction required.
Attackers can exploit this vulnerability remotely over the network without privileges by tricking authenticated users into issuing a GET request to the endpoint, such as through a malicious link or image tag on a controlled site. Successful exploitation allows unauthorized creation of API secrets in the database, potentially enabling further compromise of account access or subscription controls within Frappe Cloud environments.
The patch, detailed in commit 52ea2f2d1b587be0807557e96f025f47897d00fd on the Press GitHub repository, mitigates the issue by restricting the endpoint to POST requests only. Additional guidance is available in the GitHub security advisory at GHSA-q4wg-jrr8-vpwf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25386
Vulnerability details
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts…
more
method to POST.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing Frappe Cloud app enables remote exploitation (T1190) and unauthorized creation of additional cloud API credentials (T1098.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against CSRF exploits by requiring session authenticity mechanisms such as anti-CSRF tokens or HTTP method restrictions for web communications sessions.
Mandates validation of external inputs to prevent forged requests, including CSRF tokens or origin checks that block unauthorized API secret creation.
Requires secure configuration settings to restrict state-changing endpoints like create_api_secret to POST methods only, mirroring the CVE patch.