CVE-2026-55852

Frappe · Frappe

The Frappe framework is vulnerable to path traversal, which could allow an authenticated high-privileged user to access or manipulate restricted files on the server.

Executive summary

A high-severity path traversal vulnerability in the Frappe framework allows authenticated high-privileged users to compromise system files.

Vulnerability

This vulnerability (CWE-22) is caused by improper limitation of pathnames to restricted directories. An attacker with high-level privileges can traverse the filesystem to access files outside of the intended application directory.

Business impact

Exploitation of this path traversal flaw could lead to full system compromise, including the retrieval of sensitive configuration files or the overwriting of critical system components. With a CVSS score of 8.6, this vulnerability represents a severe threat to infrastructure integrity and security.

Remediation

Immediate Action: Update the Frappe framework to version 15.112.0 or 16.23.0 immediately to include the necessary path validation fixes.

Proactive Monitoring: Audit server file system access logs for suspicious traversal patterns (e.g., ../../) originating from administrative accounts.

Compensating Controls: Ensure the application runs with the principle of least privilege, restricting the filesystem access of the web server process to only the necessary directories.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the potential for high-level system impact, it is imperative to apply the provided patches to the Frappe framework. Administrators should prioritize upgrading to the patched versions to prevent unauthorized file access and potential escalation of privileges.