{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41317", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.671Z", "datePublished": "2026-04-24T02:40:16.528Z", "dateUpdated": "2026-04-24T12:05:33.679Z"}, "containers": {"cna": {"title": "Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf"}, {"name": "https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd"}], "affected": [{"vendor": "frappe", "product": "press", "versions": [{"version": "< 52ea2f2d1b587be0807557e96f025f47897d00fd", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:40:16.528Z"}, "descriptions": [{"lang": "en", "value": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST."}], "source": {"advisory": "GHSA-q4wg-jrr8-vpwf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T12:05:27.312950Z", "id": "CVE-2026-41317", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:05:33.679Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41317", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T12:05:27.312950Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:05:30.578Z"}}], "cna": {"title": "Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation", "source": {"advisory": "GHSA-q4wg-jrr8-vpwf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "frappe", "product": "press", "versions": [{"status": "affected", "version": "< 52ea2f2d1b587be0807557e96f025f47897d00fd"}]}], "references": [{"url": "https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf", "name": "https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd", "name": "https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:40:16.528Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41317", "state": "PUBLISHED", "dateUpdated": "2026-04-24T12:05:33.679Z", "dateReserved": "2026-04-20T14:01:46.671Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T02:40:16.528Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FD9CD87-D255-4BB8-86B7-791DEDD6955F", "versionEndExcluding": "0.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST."}], "id": "CVE-2026-41317", "lastModified": "2026-04-30T14:53:51.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T03:16:12.113", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,52ea2f2d1b587be0807557e96f025f47897d00fd)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "press", "source": "cna", "vendor": "frappe"}, "product": "press", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-28T23:48:55.037609+00:00", "value": {"mitigation_remediation": ["Update Frappe Press to the version containing commit 52ea2f2d1b587be0807557e96f025f47897d00fd or later, which restricts the method to POST.", "If an upgrade is not immediately possible, configure the web application firewall or proxy to block GET requests to the /api/account/create_api_secret endpoint, ensuring only POST is allowed.", "Enforce CSRF protection and require authentication for the endpoint by validating a CSRF token, following CWE\u2011352 best practices to prevent unauthorized state changes via HTTP methods."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized creation of API secrets"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Frappe Press. No specific version is listed, so any deployment that includes the unpatched \u201cpress.api.account.create_api_secret\u201d endpoint is susceptible.", "description_and_impact": "Press, a Frappe custom app for Frappe Cloud, exposes its API endpoint for creating API secrets through a GET method. The endpoint writes to the database, enabling the generation of new secrets. An attacker who can trigger a CSRF or directly call the endpoint can obtain a valid API secret, which could be used for unauthorized access.", "risk_and_exploitability": "The CVSS score of 6.6 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by issuing a GET request to the endpoint to generate a new API secret. The risk is unauthorized access through API secret creation."}}}}, "created": "2026-04-27T23:00:12.518677+00:00", "updated": "2026-04-29T00:00:13.809353+00:00", "vendors": ["frappe", "frappe$PRODUCT$press"]}