CVE-2026-26977 is a vulnerability in the Frappe LMS product, specifically in versions 2.44.0 and earlier, where the system fails to enforce proper authorization checks on API endpoints that serve course details. This missing authorization (CWE-862) allows any remote attacker to retrieve information about unpublished courses without authentication or user interaction. The vulnerability arises because the API does not verify whether the requesting user has the necessary permissions to view unpublished course content, violating the principle of least privilege. The CVSS 4.0 base score is 6.9 (medium severity), reflecting that the attack vector is network-based, with low complexity and no privileges or user interaction required. The impact is limited to confidentiality, as unauthorized users can access sensitive course information that should remain private until publication. Integrity and availability are not affected. The vulnerability is slated to be fixed in the upcoming 2.45.0 release. No public exploits have been reported, but the exposure of unpublished educational content could have privacy and competitive implications for organizations relying on Frappe LMS.

The primary impact of this vulnerability is unauthorized disclosure of unpublished course content, which could include proprietary educational materials, exam content, or sensitive instructional data. Organizations using Frappe LMS in education, corporate training, or certification contexts may face confidentiality breaches, potentially undermining intellectual property protections and competitive advantage. Exposure of unpublished content could also lead to reputational damage and loss of trust among users and stakeholders. While the vulnerability does not allow modification or deletion of data, the unauthorized access could facilitate further social engineering or targeted attacks. The ease of exploitation (no authentication or user interaction required) increases the risk, especially for publicly accessible LMS instances. Organizations worldwide that rely on Frappe LMS for content management are at risk until they apply the fix or implement compensating controls.

Organizations should upgrade Frappe LMS to version 2.45.0 or later as soon as it becomes available, as this release includes the official fix for the missing authorization issue. Until then, administrators should restrict access to the LMS API endpoints by implementing network-level controls such as IP whitelisting or VPN access to limit exposure to trusted users only. Additionally, applying web application firewall (WAF) rules to detect and block unauthorized API requests can reduce risk. Reviewing and tightening API authentication and authorization mechanisms is critical; custom patches or middleware that enforce permission checks on unpublished course data can serve as interim measures. Monitoring API access logs for unusual or unauthorized requests can help detect exploitation attempts. Finally, educating users and administrators about the sensitivity of unpublished content and enforcing strict content publication workflows will mitigate potential damage.