CVE-2026-26977: CWE-862: Missing Authorization in frappe lms
CVE-2026-26977 is a medium-severity vulnerability in Frappe Learning Management System (LMS) versions 2. 44. 0 and below, where unauthorized users can access details of unpublished courses via API endpoints due to missing authorization checks. This issue arises from CWE-862 (Missing Authorization) and CWE-284 (Improper Access Control). The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. Although no known exploits are currently in the wild, the exposure of unpublished course data can lead to information disclosure and potential competitive or privacy concerns. A fix is planned for version 2. 45. 0. Organizations using affected versions should prioritize upgrading and implement temporary access restrictions to mitigate risk.
AI Analysis
Technical Summary
CVE-2026-26977 identifies a missing authorization vulnerability in the Frappe LMS product, specifically in versions 2.44.0 and earlier. The flaw allows unauthenticated attackers to retrieve details of unpublished courses through API endpoints that lack proper access control mechanisms. This vulnerability is categorized under CWE-862 (Missing Authorization) and CWE-284 (Improper Access Control), indicating that the system fails to verify whether the requesting user has the necessary permissions before disclosing sensitive course information. The vulnerability is remotely exploitable without any authentication or user interaction, making it accessible to any attacker with network access to the LMS API. The exposed data could include course content, metadata, or other sensitive information intended only for authorized users or internal review. While the CVSS 4.0 base score is 6.9 (medium severity), reflecting the moderate impact on confidentiality and the ease of exploitation, there is no indication of impact on integrity or availability. The vendor plans to release a patch in version 2.45.0 to enforce proper authorization checks on these API endpoints. Until then, affected organizations remain vulnerable to unauthorized data disclosure.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of unpublished course details, which can compromise confidentiality. For educational institutions, training providers, or enterprises using Frappe LMS, this could lead to premature exposure of proprietary or sensitive course content, undermining competitive advantage or violating privacy policies. Attackers could leverage this information for social engineering, intellectual property theft, or to gain insights into organizational training strategies. Although the vulnerability does not affect system integrity or availability, the breach of confidentiality can damage reputation and trust. Since exploitation requires no authentication and no user interaction, the attack surface is broad, increasing risk especially for publicly accessible LMS deployments. Organizations worldwide using affected versions face potential data leakage until the patch is applied.
Mitigation Recommendations
1. Upgrade to Frappe LMS version 2.45.0 or later immediately upon release to apply the official fix enforcing proper authorization. 2. Until patching, restrict network access to the LMS API endpoints by implementing firewall rules or network segmentation to limit exposure to trusted users only. 3. Employ Web Application Firewalls (WAF) with custom rules to detect and block unauthorized API requests targeting unpublished course data. 4. Conduct an audit of current unpublished course data exposure and remove or archive sensitive content temporarily if feasible. 5. Monitor API access logs for unusual or unauthorized requests to unpublished course endpoints to detect potential exploitation attempts. 6. Educate LMS administrators on the risk and ensure secure configuration management to prevent similar authorization lapses. 7. Consider implementing additional authentication or token-based access controls at the API layer as a compensating control until the patch is deployed.
Affected Countries
United States, India, United Kingdom, Germany, Australia, Canada, France, Brazil, Netherlands, Singapore
CVE-2026-26977: CWE-862: Missing Authorization in frappe lms
Description
CVE-2026-26977 is a medium-severity vulnerability in Frappe Learning Management System (LMS) versions 2. 44. 0 and below, where unauthorized users can access details of unpublished courses via API endpoints due to missing authorization checks. This issue arises from CWE-862 (Missing Authorization) and CWE-284 (Improper Access Control). The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. Although no known exploits are currently in the wild, the exposure of unpublished course data can lead to information disclosure and potential competitive or privacy concerns. A fix is planned for version 2. 45. 0. Organizations using affected versions should prioritize upgrading and implement temporary access restrictions to mitigate risk.
AI-Powered Analysis
Technical Analysis
CVE-2026-26977 identifies a missing authorization vulnerability in the Frappe LMS product, specifically in versions 2.44.0 and earlier. The flaw allows unauthenticated attackers to retrieve details of unpublished courses through API endpoints that lack proper access control mechanisms. This vulnerability is categorized under CWE-862 (Missing Authorization) and CWE-284 (Improper Access Control), indicating that the system fails to verify whether the requesting user has the necessary permissions before disclosing sensitive course information. The vulnerability is remotely exploitable without any authentication or user interaction, making it accessible to any attacker with network access to the LMS API. The exposed data could include course content, metadata, or other sensitive information intended only for authorized users or internal review. While the CVSS 4.0 base score is 6.9 (medium severity), reflecting the moderate impact on confidentiality and the ease of exploitation, there is no indication of impact on integrity or availability. The vendor plans to release a patch in version 2.45.0 to enforce proper authorization checks on these API endpoints. Until then, affected organizations remain vulnerable to unauthorized data disclosure.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of unpublished course details, which can compromise confidentiality. For educational institutions, training providers, or enterprises using Frappe LMS, this could lead to premature exposure of proprietary or sensitive course content, undermining competitive advantage or violating privacy policies. Attackers could leverage this information for social engineering, intellectual property theft, or to gain insights into organizational training strategies. Although the vulnerability does not affect system integrity or availability, the breach of confidentiality can damage reputation and trust. Since exploitation requires no authentication and no user interaction, the attack surface is broad, increasing risk especially for publicly accessible LMS deployments. Organizations worldwide using affected versions face potential data leakage until the patch is applied.
Mitigation Recommendations
1. Upgrade to Frappe LMS version 2.45.0 or later immediately upon release to apply the official fix enforcing proper authorization. 2. Until patching, restrict network access to the LMS API endpoints by implementing firewall rules or network segmentation to limit exposure to trusted users only. 3. Employ Web Application Firewalls (WAF) with custom rules to detect and block unauthorized API requests targeting unpublished course data. 4. Conduct an audit of current unpublished course data exposure and remove or archive sensitive content temporarily if feasible. 5. Monitor API access logs for unusual or unauthorized requests to unpublished course endpoints to detect potential exploitation attempts. 6. Educate LMS administrators on the risk and ensure secure configuration management to prevent similar authorization lapses. 7. Consider implementing additional authentication or token-based access controls at the API layer as a compensating control until the patch is deployed.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-17T01:41:24.604Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6997b995d7880ec89b493761
Added to database: 2/20/2026, 1:32:05 AM
Last enriched: 2/20/2026, 1:46:56 AM
Last updated: 2/20/2026, 2:32:39 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2820: SQL Injection in Fujian Smart Integrated Management Platform System
MediumCVE-2026-2819: Missing Authorization in Dromara RuoYi-Vue-Plus
MediumCVE-2026-26065: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kovidgoyal calibre
CriticalCVE-2026-26064: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kovidgoyal calibre
CriticalCVE-2026-26980: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in TryGhost Ghost
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.