VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-44975

CVE-2026-44975

Description

Any authenticated user in Frappe can reset onboarding for all users due to missing authorization, patched in versions 15.107.2 and 16.17.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Any authenticated user in Frappe can reset onboarding for all users due to missing authorization, patched in versions 15.107.2 and 16.17.4.

Vulnerability

Frappe, a full-stack web application framework, contains a missing authorization vulnerability in the onboarding reset functionality. Prior to versions 15.107.2 and 16.17.4, any authenticated user can trigger a reset of the onboarding state for all users system-wide, without requiring administrative privileges. The issue is tracked as GHSA-9cxj-48g3-jx22 [1].

Exploitation

An attacker needs only a valid authentication token or session for any user account in the Frappe instance. No additional privileges or special access are required. The attacker can invoke the vulnerable API endpoint that resets the onboarding form tours, causing a system-wide reset that affects all users.

Impact

Successful exploitation allows an attacker to disrupt the onboarding experience for every user on the system by resetting their onboarding progress. This can lead to confusion, repeated tutorials, and potential misconfiguration of user preferences. The issue has a CVSS severity of Medium [1].

Mitigation

The vulnerability has been fixed in Frappe versions 15.107.2 and 16.17.4. Users should upgrade to these versions or later. No workaround is documented. The advisory is available at the GitHub Security Advisory [1].

References
  1. Missing authorization on reset form tours

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Frappeinferred2 versions
    >=15.0,<15.107.2 || >=16.0,<16.17.4+ 1 more
    • (no CPE)range: >=15.0,<15.107.2 || >=16.0,<16.17.4
    • (no CPE)range: <15.107.2 || >=16.0.0 <16.17.4

Patches

2
1c71c4c306db

fix: restrict resetting of form tours (#39026)

https://github.com/frappe/frappeSoham KulkarniMay 1, 2026Fixed in 15.107.2via llm-release-walk
commit
1 file changed · +5 0
  • frappe/desk/doctype/form_tour/form_tour.py+5 0 modified
    @@ -75,7 +75,12 @@ def on_trash(self):
 
 
 @frappe.whitelist()
+<<<<<<< HEAD
 def reset_tour(tour_name):
+=======
+def reset_tour(tour_name: str):
+	frappe.only_for("System Manager")
+>>>>>>> 1b2cf94563 (fix: restrict resetting of form tours (#39026))
 	for user in frappe.get_all("User", pluck="name"):
 		onboarding_status = frappe.parse_json(frappe.db.get_value("User", user, "onboarding_status"))
 		onboarding_status.pop(tour_name, None)
55460d873280

fix(onboarding): only update allowed fields

https://github.com/frappe/frappesokumonApr 29, 2026Fixed in 16.17.4via llm-release-walk
commit
1 file changed · +3 0
  • frappe/desk/desktop.py+3 0 modified
    @@ -659,6 +659,9 @@ def update_onboarding_step(name: str | int, field: str, value: int | str):
 	"""
 	from frappe.utils.telemetry import capture
 
+	allowed_fields = ["is_skipped", "is_complete"]
+	if field not in allowed_fields:
+		return
 	frappe.db.set_value("Onboarding Step", name, field, value)
 
 	capture(frappe.scrub(name), app="frappe_onboarding", properties={field: value})

Vulnerability mechanics

Root cause

"Missing authorization check on `reset_tour` and missing field allowlist on `update_onboarding_step` allow any authenticated user to reset onboarding for all users or modify arbitrary onboarding-step fields."

Attack vector

An authenticated user with any role can call the whitelisted `reset_tour` endpoint to clear a form-tour (onboarding) entry for every user in the system, because the function lacked a role check [patch_id=5723732]. Separately, the `update_onboarding_step` endpoint allowed setting any field on an `Onboarding Step` record, not just the intended `is_skipped` or `is_complete` fields, enabling unauthorized modification of arbitrary step properties [patch_id=5723733]. Both endpoints are accessible over HTTP to any logged-in user.

Affected code

The vulnerability exists in `frappe/desk/doctype/form_tour/form_tour.py` and `frappe/desk/desktop.py`. In `reset_tour`, there was no permission check before iterating all users and modifying their onboarding status. In `update_onboarding_step`, arbitrary fields could be set on `Onboarding Step` records without validation.

What the fix does

Patch [patch_id=5723732] adds `frappe.only_for("System Manager")` to the `reset_tour` function, restricting the endpoint to users with the System Manager role. Patch [patch_id=5723733] introduces an `allowed_fields` list containing only `"is_skipped"` and `"is_complete"` and returns early if the requested field is not in that list, preventing arbitrary field writes on `Onboarding Step` records.

Preconditions

  • authAttacker must be an authenticated user of the Frappe application.
  • networkThe `reset_tour` endpoint or `update_onboarding_step` endpoint must be reachable via HTTP.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.