{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29077", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.483Z", "datePublished": "2026-03-05T20:22:09.612Z", "dateUpdated": "2026-03-06T17:02:25.318Z"}, "containers": {"cna": {"title": "Frappe: Broken Access Control in DocShare", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-602", "lang": "en", "description": "CWE-602: Client-Side Enforcement of Server-Side Security", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-5h4c-9p23-4c3m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-5h4c-9p23-4c3m"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": "< 15.98.0", "status": "affected"}, {"version": "< 14.100.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:22:09.612Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0."}], "source": {"advisory": "GHSA-5h4c-9p23-4c3m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:02:17.204446Z", "id": "CVE-2026-29077", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:02:25.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29077", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T17:02:17.204446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:02:21.716Z"}}], "cna": {"title": "Frappe: Broken Access Control in DocShare", "source": {"advisory": "GHSA-5h4c-9p23-4c3m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": "< 15.98.0"}, {"status": "affected", "version": "< 14.100.0"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-5h4c-9p23-4c3m", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-5h4c-9p23-4c3m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602: Client-Side Enforcement of Server-Side Security"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:22:09.612Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29077", "state": "PUBLISHED", "dateUpdated": "2026-03-06T17:02:25.318Z", "dateReserved": "2026-03-03T20:51:43.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T20:22:09.612Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "99159798-410A-48C5-BFEE-C0B9D005CAF5", "versionEndExcluding": "14.100.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFC828B1-AD37-44DB-80F6-EA1513BDC917", "versionEndExcluding": "15.98.0", "versionStartIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0."}, {"lang": "es", "value": "Frappe es un framework de aplicaci\u00f3n web full-stack. Antes de las versiones 15.98.0 y 14.100.0, debido a una falta de validaci\u00f3n al compartir documentos, un usuario pod\u00eda compartir un documento con un permiso que ellos mismos no ten\u00edan. Este problema ha sido parcheado en las versiones 15.98.0 y 14.100.0."}], "id": "CVE-2026-29077", "lastModified": "2026-03-09T19:04:25.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T21:16:22.790", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-5h4c-9p23-4c3m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-602"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.98.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.100.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frappe", "source": "cna", "vendor": "frappe"}, "product": "frappe", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-17T12:39:56.008219+00:00", "value": {"mitigation_remediation": ["Upgrade Frappe to version\u202f15.98.0 or\u202f14.100.0 or later to remove the validation flaw.", "If an immediate upgrade is not possible, disable the DocShare functionality or enforce stricter permission checks so that users cannot assign permissions higher than their own.", "Review and remove any custom code or scripts that bypass access control checks for document sharing to ensure rigorous authorization enforcement."], "summary": {"action": "Immediate patch", "impact": "Broken access control allowing users to grant others unauthorized permissions to documents"}, "threat_synthesis": {"affected_systems": "The issue affects the Frappe web application framework. Versions earlier than 15.98.0, and versions earlier than 14.100.0, are vulnerable. The fix is included in Frappe 15.98.0 and 14.100.0 and later releases.", "description_and_impact": "The vulnerability allows a user to share a document with a permission level that the user does not possess, effectively bypassing the access control enforced by the application. As a result, the user may gain unauthorized access to documents that contain sensitive information. This flaw is classified as an improper access control weakness (CWE\u2011284) and a resource access control issue (CWE\u2011602).", "risk_and_exploitability": "The CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1\u202f% suggests the likelihood of exploitation is low in the short term. This vulnerability is not listed in the CISA catalog of known exploited vulnerabilities, implying no confirmed high\u2011profile exploitation. Attackers would need to be authenticated users of the application. Exploitation is achieved by selecting a higher permission level when sharing a document, which the system does not validate against the user\u2019s own privileges. Monitoring for abnormal document sharing permissions is advised, but the primary mitigation is to apply the vendor\u2019s patch."}}}}, "created": "2026-03-06T15:01:01.638063+00:00", "updated": "2026-04-17T12:45:16.145116+00:00", "vendors": ["frappe", "frappe$PRODUCT$frappe"]}