CVE-2026-41317 MEDIUM

CVE-2026-41317: Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation

Vendor Frappe
Product press
Weakness CWE-352 · CSRF
Published April 24, 2026
Last update April 24, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit 52ea2f2d1b587be0807557e96f025f47897d00fd restricts method to POST.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated

Related vulnerabilities

04Related CVE