VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-44976

CVE-2026-44976

Description

Any authenticated user can modify any field in any Onboarding Step record in Frappe before 16.17.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Any authenticated user can modify any field in any Onboarding Step record in Frappe before 16.17.4.

Vulnerability

An insecure direct object reference (IDOR) vulnerability exists in the update_onboarding_step endpoint of Frappe prior to version 16.17.4. This allows any authenticated user to modify any field of any Onboarding Step record, regardless of ownership or permissions. The affected versions are all releases before 16.17.4 [1].

Exploitation

An attacker needs only a valid user session in Frappe. The attacker can send a crafted request to the update_onboarding_step endpoint, specifying the target record ID and arbitrary field values. No special privileges or user interaction beyond standard authentication are required [1].

Impact

Successful exploitation allows the attacker to arbitrarily alter Onboarding Step records. Depending on the field values modified, this could disrupt onboarding workflows, corrupt data, or potentially lead to further privilege escalation if the onboarding steps control access or configuration. The attacker gains unauthorized write access to a record they should not be able to modify [1].

Mitigation

The vulnerability is patched in Frappe version 16.17.4. Users should upgrade to version 16.17.4 or later immediately. There are no known workarounds for this vulnerability [1].

References
  1. IDOR in update_onboarding_step

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Frappeinferred2 versions
    <=16.17.4+ 1 more
    • (no CPE)range: <=16.17.4
    • (no CPE)range: <16.17.4

Patches

2
55460d873280

fix(onboarding): only update allowed fields

https://github.com/frappe/frappesokumonApr 29, 2026Fixed in 16.17.4via llm-release-walk
commit
1 file changed · +3 0
  • frappe/desk/desktop.py+3 0 modified
    @@ -659,6 +659,9 @@ def update_onboarding_step(name: str | int, field: str, value: int | str):
 	"""
 	from frappe.utils.telemetry import capture
 
+	allowed_fields = ["is_skipped", "is_complete"]
+	if field not in allowed_fields:
+		return
 	frappe.db.set_value("Onboarding Step", name, field, value)
 
 	capture(frappe.scrub(name), app="frappe_onboarding", properties={field: value})
75baafaa0bde

chore(release): Bumped to Version 16.17.5

https://github.com/frappe/frappeFrappe PR BotMay 7, 2026Fixed in 16.17.5via release-tag
commit
1 file changed · +1 1
  • frappe/__init__.py+1 1 modified
    @@ -55,7 +55,7 @@
 	render_template,
 )
 
-__version__ = "16.17.4"
+__version__ = "16.17.5"
 __title__ = "Frappe Framework"
 
 if TYPE_CHECKING:  # pragma: no cover

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

1

News mentions

0

No linked articles in our index yet.