Primary

Context

Frappe Press CSRF-Like Vulnerability in API Secret Generation Endpoint

Vulnerability

A vulnerability allowing CSRF-like exploits has been identified in the `create_api_secret` endpoint of the Frappe Press custom application, which manages various aspects of Frappe Cloud. This endpoint, accessible via the GET method, writes to the database and is susceptible to Cross-Site Request Forgery (CSRF) attacks. The issue arises because the endpoint was not properly restricted to a safer HTTP method, allowing potential exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized API secret generation, allowing users to impersonate others or gain unauthorized access to resources or functionalities.

Remediation

Users can update to version 52ea2f2d1b587be0807557e96f025f47897d00fd, where this vulnerability has been patched by restricting the `create_api_secret` endpoint to the POST method.

Added: Apr 24, 2026, 3:19 AM

Updated: Apr 24, 2026, 3:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.9

remediation

0.0

relevance

6.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.9

remediation

0.0

relevance

6.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe Press CSRF-Like Vulnerability in API Secret Generation Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating