VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-44208

CVE-2026-44208

Description

Frappe Framework versions prior to 15.107.0 and 16.17.0 lack validations in the submit_discussion() endpoint, allowing unauthorized access to resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Frappe Framework versions prior to 15.107.0 and 16.17.0 lack validations in the submit_discussion() endpoint, allowing unauthorized access to resources.

Vulnerability

The submit_discussion() endpoint in Frappe Framework versions prior to 15.107.0 and 16.17.0 lacks proper input validation and authorization checks. This allows an attacker to access or modify discussion resources without appropriate permissions. The vulnerability is classified as an Insecure Direct Object Reference (IDOR) [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the submit_discussion() endpoint. No authentication or special privileges are required; the attacker only needs network access to the Frappe instance. By manipulating parameters, the attacker can access discussion resources belonging to other users or perform unauthorized actions [1].

Impact

Successful exploitation leads to unauthorized access to discussion resources, potentially including reading, modifying, or deleting discussions. This compromises the confidentiality and integrity of the application's discussion data. The attacker may gain access to sensitive information or disrupt normal operations [1].

Mitigation

The issue has been patched in Frappe Framework versions 15.107.0 and 16.17.0. Users should update to these versions immediately. No workarounds are available; updating is the only remediation [1].

References
  1. IDOR in `submit_discussion()`

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Frappeinferred2 versions
    <15.107.0 || <16.17.0+ 1 more
    • (no CPE)range: <15.107.0 || <16.17.0
    • (no CPE)range: <15.107.0, <16.17.0

Patches

2
96cb74eee299

fix(discussion_topic): add perm. check to submit_discussion method

https://github.com/frappe/frappeAarDG10Apr 28, 2026Fixed in 16.17.0via llm-release-walk
commit
1 file changed · +2 0
  • frappe/website/doctype/discussion_topic/discussion_topic.py+2 0 modified
    @@ -26,6 +26,8 @@ class DiscussionTopic(Document):
 def submit_discussion(doctype, docname, reply, title, topic_name=None, reply_name=None):
 	if reply_name:
 		doc = frappe.get_doc("Discussion Reply", reply_name)
+		if doc.owner != frappe.session.user:
+			frappe.throw(frappe._("You can only edit your own replies."), frappe.PermissionError)
 		doc.reply = reply
 		doc.save(ignore_permissions=True)
 		return
0fe914732ed2

chore(release): Bumped to Version 15.107.0

https://github.com/frappe/frappeFrappe PR BotApr 28, 2026Fixed in 15.107.0via release-tag
commit
1 file changed · +1 1
  • frappe/__init__.py+1 1 modified
    @@ -51,7 +51,7 @@
 )
 from .utils.lazy_loader import lazy_import
 
-__version__ = "15.106.0"
+__version__ = "15.107.0"
 __title__ = "Frappe Framework"
 
 # This if block is never executed when running the code. It is only used for

Vulnerability mechanics

Root cause

"Missing ownership validation in the submit_discussion() endpoint allows an authenticated user to edit another user's discussion reply."

Attack vector

An authenticated attacker can call the `submit_discussion()` endpoint with a `reply_name` parameter referencing another user's reply. Because the function lacked an ownership check before saving the reply with `ignore_permissions=True`, the attacker could overwrite the content of any existing reply. The patch adds a check that the document's `owner` must match `frappe.session.user`, preventing unauthorized edits.

Affected code

The vulnerability exists in `frappe/website/doctype/discussion_topic/discussion_topic.py` in the `submit_discussion()` function. When a `reply_name` is provided, the function retrieves the `Discussion Reply` document and saves it with `ignore_permissions=True` without first verifying that the current user owns the reply.

What the fix does

The patch in `discussion_topic.py` adds a permission check before saving a reply: if `doc.owner != frappe.session.user`, it throws a `frappe.PermissionError` with the message "You can only edit your own replies." This ensures that only the original author of a discussion reply can modify it, closing the unauthorized access vector.

Preconditions

  • authThe attacker must be an authenticated user of the Frappe application.
  • inputThe attacker must know or guess the `reply_name` of an existing reply owned by another user.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.