VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-44207

CVE-2026-44207

Description

An IDOR vulnerability in Frappe before 15.107.0 and 16.17.0 allows authenticated users to access other users' email configuration details.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An IDOR vulnerability in Frappe before 15.107.0 and 16.17.0 allows authenticated users to access other users' email configuration details.

Vulnerability

The vulnerability is an Insecure Direct Object Reference (IDOR) in Frappe Framework prior to versions 15.107.0 and 16.17.0. Authenticated users can access other users' email configuration details due to missing authorization checks. The affected versions are all releases before the patched versions [1].

Exploitation

An attacker must have a valid authenticated session. No special privileges beyond regular user access are required. By manipulating object references (e.g., API parameters), the attacker can enumerate or retrieve email configuration details of other users [1].

Impact

Successful exploitation leads to unauthorized disclosure of other users' email configuration details, which may include sensitive information such as email server credentials or personal email addresses. The confidentiality of user data is compromised [1].

Mitigation

Patches are available in versions 15.107.0 and 16.17.0. Users should upgrade to these versions immediately. There are no workarounds, as stated in the advisory [1].

References
  1. Insecure Direct Object Reference for email accounts

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Frappeinferred2 versions
    <15.107.0 >=15.0,<16.17.0 >=16.0+ 1 more
    • (no CPE)range: <15.107.0 >=15.0,<16.17.0 >=16.0
    • (no CPE)range: <15.107.0, <16.17.0

Patches

2
7f508f2793cf

fix(email_account): add perm. check to set_email_password

https://github.com/frappe/frappeAarDG10Apr 27, 2026Fixed in 16.17.0via llm-release-walk
commit
1 file changed · +5 0
  • frappe/email/doctype/email_account/email_account.py+5 0 modified
    @@ -1127,7 +1127,12 @@ def remove_user_email_inbox(email_account):
 
 
 @frappe.whitelist()
+<<<<<<< HEAD
 def set_email_password(email_account, password):
+=======
+def set_email_password(email_account: str, password: str):
+	frappe.has_permission("Email Account", "write", email_account, throw=True)
+>>>>>>> dd9450dc46 (fix(email_account): add perm. check to set_email_password)
 	account = frappe.get_doc("Email Account", email_account)
 	if account.awaiting_password and account.auth_method != "OAuth":
 		account.awaiting_password = 0
0fe914732ed2

chore(release): Bumped to Version 15.107.0

https://github.com/frappe/frappeFrappe PR BotApr 28, 2026Fixed in 15.107.0via release-tag
commit
1 file changed · +1 1
  • frappe/__init__.py+1 1 modified
    @@ -51,7 +51,7 @@
 )
 from .utils.lazy_loader import lazy_import
 
-__version__ = "15.106.0"
+__version__ = "15.107.0"
 __title__ = "Frappe Framework"
 
 # This if block is never executed when running the code. It is only used for

Vulnerability mechanics

Root cause

"Missing permission check in the `set_email_password` whitelisted method allows any authenticated user to modify another user's email account password."

Attack vector

An authenticated user can call the `set_email_password` whitelisted endpoint with an arbitrary `email_account` name and a new password. Because the method did not verify that the caller has write permission on the target Email Account, the attacker can overwrite the email password of any other user's email configuration [patch_id=5723740]. This is an Insecure Direct Object Reference (IDOR) vulnerability.

Affected code

The vulnerability exists in the `set_email_password` whitelisted method in `frappe/email/doctype/email_account/email_account.py`. The method lacked a permission check before allowing an authenticated user to set the password on any Email Account document.

What the fix does

The patch adds a call to `frappe.has_permission("Email Account", "write", email_account, throw=True)` at the top of `set_email_password`, which enforces that the caller must have write-level permission on the specific Email Account document before the password can be changed [patch_id=5723740]. If the permission check fails, the request is rejected with an exception, closing the IDOR gap.

Preconditions

  • authThe attacker must be an authenticated user of the Frappe application.
  • inputThe attacker must know or guess the name of another user's Email Account document.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.