IDOR Vulnerability in Frappe Framework Exposes User Email Configurations

CVE-2026-44207 is an IDOR vulnerability in the Frappe web application framework, affecting versions prior to 15.107.0 and 16.17.0. Authenticated users could exploit this flaw to access other users' email configuration details. The vulnerability has been assigned a CVSS base score of 6.9, indicating a medium severity level. The issue was published on June 12, 2026, and has since been patched in the latest versions. Users of the affected versions are advised to update to mitigate potential risks. The vulnerability does not appear to have been actively exploited in the wild at this time. Security professionals should prioritize patching to prevent unauthorized access to sensitive information.

Key Points: • CVE-2026-44207 affects Frappe versions prior to 15.107.0 and 16.17.0. • The vulnerability allows authenticated users to access other users' email configurations. • A patch has been released, and users are urged to update their systems immediately.