High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 30, 2026

CVE-2026-41317

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).press.api.account.create_api_secret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

Affected products

Frappe/Press
cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:*
Range: <0.9.0

Patches

52ea2f2d1b58

fix(account): Restrict `create_api_secret` to `POST`

https://github.com/frappe/pressSabu SiyadMar 27, 2026via nvd-ref

commit

1 file changed · +6 −10

press/api/account.py+6 −10 modified

@@ -1029,21 +1029,17 @@ def mark_key_as_default(key_name):
 	key.save()
 
 
-@frappe.whitelist()
+@frappe.whitelist(methods=["POST"])
 def create_api_secret():
 	user = frappe.get_doc("User", frappe.session.user)
-
-	api_key = user.api_key
+	user.api_key = user.api_key or frappe.generate_hash()
 	api_secret = frappe.generate_hash()
-
-	if not api_key:
-		api_key = frappe.generate_hash()
-		user.api_key = api_key
-
 	user.api_secret = api_secret
 	user.save(ignore_permissions=True)
-
-	return {"api_key": api_key, "api_secret": api_secret}
+	return {
+		"api_key": user.api_key,
+		"api_secret": api_secret,
+	}
 
 
 @frappe.whitelist()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fdnvdPatch
github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwfnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000