CVE-2026-44206
Description
Unauthenticated endpoint in Frappe versions <15.107.2 and <16.17.4 leaks database table names, aiding schema enumeration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated endpoint in Frappe versions <15.107.2 and <16.17.4 leaks database table names, aiding schema enumeration.
Vulnerability
An unauthenticated endpoint in Frappe (a full-stack web application framework) allows remote attackers to enumerate database schema (table names). The vulnerability affects all versions prior to 15.107.2 and 16.17.4 [1]. No authentication or special configuration is required to reach the vulnerable code path.
Exploitation
An attacker with network access to a vulnerable Frappe instance can send crafted requests to the exposed endpoint. No prior authentication, user interaction, or write access is needed. The endpoint returns database table names, enabling systematic schema discovery [1].
Impact
Successful exploitation results in disclosure of the database schema—specifically the names of database tables. This information can be used by an attacker to understand the application structure and plan further attacks, though no direct data or code execution is achieved. The confidentiality of the schema is compromised [1].
Mitigation
The issue has been patched in Frappe versions 15.107.2 and 16.17.4. Users must update to these versions or later. No workarounds are available [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2e4a689bf015bfix: validate private file access before inserting
1 file changed · +31 −0
frappe/core/doctype/file/file.py+31 −0 modified@@ -110,6 +110,7 @@ def before_insert(self): self.validate_attachment_limit() self.set_file_type() self.validate_file_extension() + self.validate_private_file_access() if self.is_folder: return @@ -199,6 +200,36 @@ def enforce_public_file_restrictions(self): except PermissionError: frappe.throw(_("Only System Managers can make this file public.")) + def validate_private_file_access(self): + """Validate that the user has permission to access an existing private file.""" + if not self.file_url: + return + + existing_files = frappe.get_all( + "File", + filters={"file_url": self.file_url}, + fields=["name", "owner", "is_private"], + limit=1, + ) + + if not existing_files: + return + + existing_file = existing_files[0] + + if existing_file.is_private: + user = frappe.session.user + + if user == existing_file.owner or user == "Administrator": + return + + existing_doc = frappe.get_doc("File", existing_file.name) + if not has_permission(existing_doc, "read", user=user): + frappe.throw( + _("You do not have permission to access this file"), + frappe.PermissionError, + ) + def after_rename(self, *args, **kwargs): for successor in self.get_successors(): setup_folder_path(successor, self.name)
7341623ec4e4chore(release): Bumped to Version 15.107.2
1 file changed · +1 −1
frappe/__init__.py+1 −1 modified@@ -51,7 +51,7 @@ ) from .utils.lazy_loader import lazy_import -__version__ = "15.107.1" +__version__ = "15.107.2" __title__ = "Frappe Framework" # This if block is never executed when running the code. It is only used for
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.