CVE-2026-26031 identifies an incorrect authorization vulnerability (CWE-863) in the Frappe Learning Management System (LMS) prior to version 2.44.0. The LMS is designed to help users structure educational content and manage student enrollments. The vulnerability allows unauthorized users to retrieve the full list of enrolled students, including their email addresses, in batches without requiring authentication or user interaction. This occurs because the system fails to properly enforce authorization checks on requests for batch student data. The flaw exposes sensitive personally identifiable information (PII), which could be leveraged for phishing, social engineering, or other targeted attacks. The CVSS 4.0 base score is 1.3, reflecting low impact due to limited scope and no direct system compromise. No known exploits have been reported in the wild, and the issue was addressed in Frappe LMS version 2.44.0 by correcting the authorization logic. Organizations using affected versions should prioritize patching to prevent unauthorized data exposure. The vulnerability primarily impacts confidentiality, with no direct effect on system integrity or availability.

For European organizations, the primary impact is unauthorized disclosure of student email addresses and enrollment data, which constitutes a breach of personal data under GDPR. This could lead to privacy violations, reputational damage, and potential regulatory penalties. Educational institutions and training providers using Frappe LMS are at risk of exposing sensitive student information to unauthorized parties, increasing the likelihood of phishing attacks or identity theft. Although the vulnerability does not allow system takeover or data manipulation, the exposure of PII is significant in the context of data protection laws in Europe. The low severity score indicates limited direct operational impact, but the compliance and privacy implications elevate the importance of remediation. Organizations failing to patch may face legal consequences and loss of trust among students and stakeholders.

The primary mitigation is to upgrade Frappe LMS to version 2.44.0 or later, where the authorization flaw has been fixed. Organizations should conduct an immediate inventory to identify any deployments running affected versions. In addition to patching, administrators should audit access controls and permissions related to student data exports and batch queries to ensure only authorized personnel can retrieve sensitive information. Implementing network segmentation and monitoring access logs for unusual data access patterns can help detect potential exploitation attempts. Educating staff on the importance of data privacy and enforcing strict role-based access controls within the LMS further reduces risk. Finally, organizations should review their incident response plans to address potential data disclosure events and notify affected individuals in compliance with GDPR requirements.