PatchSiren cyber security CVE debrief

CVE-2026-44207 frappe CVE debrief

CVE-2026-44207 is a Medium severity vulnerability in Frappe, a full-stack web application framework. The issue, classified as an Insecure Direct Object Reference (IDOR), allows authenticated users to access other users' email configuration details. This vulnerability existed prior to Frappe versions 15.107.0 and 16.17.0, which have addressed the issue. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 6.9.

Vendor: frappe
Product: Unknown
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-12
Original CVE updated: 2026-06-12
Advisory published: 2026-06-12
Advisory updated: 2026-06-12

Who should care

Users of Frappe framework, especially those who have not upgraded to versions 15.107.0 or 16.17.0, should be aware of this vulnerability. Authenticated users could potentially exploit this IDOR vulnerability to access unauthorized email configurations of other users.

Technical summary

The vulnerability is caused by improper access control in Frappe, enabling authenticated users to access email configurations of other users. This issue has been resolved in Frappe versions 15.107.0 and 16.17.0.

Defensive priority

Medium

Recommended defensive actions

Upgrade to Frappe version 15.107.0 or 16.17.0, or later, to patch the vulnerability.
Review and restrict access controls for email configuration details to prevent unauthorized access.

Evidence notes

The CVE-2026-44207 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-44207). Additional details can be found on the [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-44207) and [source reference](https://github.com/frappe/frappe/security/advisories/GHSA-cw6v-39qx-7r74).

Official resources

CVE-2026-44207 was published on 2026-06-12T16:16:27.713Z and modified on 2026-06-12T16:17:58.070Z.