CVE-2026-49394
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0.
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/frappe/frappe/commit/2471d94c397dc23301b30ed3bb30353f53b33f2c
- https://github.com/frappe/frappe/commit/6eba29d7ae80cdb4d0b2a245a477b1d2312736ca
- https://github.com/frappe/frappe/pull/39508
- https://github.com/frappe/frappe/pull/39526
- https://github.com/frappe/frappe/releases/tag/v16.19.0
- https://github.com/frappe/frappe/security/advisories/GHSA-r24j-xrj8-273q



