VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-47182

CVE-2026-47182

Description

Authenticated users in Frappe <16.17.4 can access private files by guessing their paths, leading to unauthorized file disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users in Frappe <16.17.4 can access private files by guessing their paths, leading to unauthorized file disclosure.

Vulnerability

Frappe, a full-stack web application framework, prior to version 16.17.4 contains a broken access control vulnerability on private files. Any authenticated user can access private files by guessing or enumerating the file path, bypassing intended permissions. The issue affects all versions before 16.17.4 [1].

Exploitation

An attacker must be an authenticated user of the Frappe instance. No additional privileges or special conditions are required. The attacker can access private files by crafting requests with guessed or enumerated file paths, exploiting the lack of proper access control checks [1].

Impact

Successful exploitation allows an attacker to read private files that should be restricted. This leads to unauthorized disclosure of potentially sensitive information, compromising confidentiality. The attack does not grant write access or privilege escalation beyond file read [1].

Mitigation

The vulnerability has been patched in Frappe version 16.17.4. Users should upgrade to this version or later immediately. No workarounds or alternative mitigations are documented. The issue is not listed on CISA's Known Exploited Vulnerabilities catalog at this time [1].

References
  1. Broken Access Control on Private Files

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Frappe/Frappeinferred2 versions
    <16.17.4+ 1 more
    • (no CPE)range: <16.17.4
    • (no CPE)range: <16.17.4

Patches

1
e4a689bf015b

fix: validate private file access before inserting

https://github.com/frappe/frappeShrihari MahabalApr 29, 2026Fixed in 16.17.4via llm-release-walk
commit
1 file changed · +31 0
  • frappe/core/doctype/file/file.py+31 0 modified
    @@ -110,6 +110,7 @@ def before_insert(self):
 		self.validate_attachment_limit()
 		self.set_file_type()
 		self.validate_file_extension()
+		self.validate_private_file_access()
 
 		if self.is_folder:
 			return
@@ -199,6 +200,36 @@ def enforce_public_file_restrictions(self):
 			except PermissionError:
 				frappe.throw(_("Only System Managers can make this file public."))
 
+	def validate_private_file_access(self):
+		"""Validate that the user has permission to access an existing private file."""
+		if not self.file_url:
+			return
+
+		existing_files = frappe.get_all(
+			"File",
+			filters={"file_url": self.file_url},
+			fields=["name", "owner", "is_private"],
+			limit=1,
+		)
+
+		if not existing_files:
+			return
+
+		existing_file = existing_files[0]
+
+		if existing_file.is_private:
+			user = frappe.session.user
+
+			if user == existing_file.owner or user == "Administrator":
+				return
+
+			existing_doc = frappe.get_doc("File", existing_file.name)
+			if not has_permission(existing_doc, "read", user=user):
+				frappe.throw(
+					_("You do not have permission to access this file"),
+					frappe.PermissionError,
+				)
+
 	def after_rename(self, *args, **kwargs):
 		for successor in self.get_successors():
 			setup_folder_path(successor, self.name)

Vulnerability mechanics

Root cause

"Missing permission validation when inserting a File document that references an existing private file URL."

Attack vector

An authenticated attacker can access private files by guessing or knowing the file URL of a private file and inserting a new File document that references that URL. The `before_insert` hook did not check whether the user had permission to the existing private file, so the attacker could create a File record pointing to the private file and then read it. The fix adds a permission check in `validate_private_file_access` that throws a `PermissionError` if the user is not the owner, not Administrator, and lacks read permission on the existing file [patch_id=5723729].

Affected code

The vulnerability exists in `frappe/core/doctype/file/file.py`. The `before_insert` method lacked a call to validate whether the current user has permission to reference an existing private file via `file_url`. The patch adds `self.validate_private_file_access()` in `before_insert` and introduces the new `validate_private_file_access` method.

What the fix does

The patch adds a call to `self.validate_private_file_access()` inside the `before_insert` method of the File doctype. The new method queries for existing files with the same `file_url`, and if an existing private file is found, it checks whether the current user is the owner, is Administrator, or has explicit read permission via `has_permission`. If none of these conditions are met, it throws a `frappe.PermissionError`. This prevents an attacker from creating a File document that references a private file they are not authorized to access.

Preconditions

  • authThe attacker must be an authenticated user of the Frappe application.
  • inputThe attacker must know or guess the file_url of an existing private file.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.