External risk intelligence

ERPNext and Frappe Framework SSRF via PDF Generation Leading to Information Disclosure.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-31017

ERPNext is a web-based enterprise resource planning platform that is commonly deployed as an internet-facing application to allow user access for business operations, making the print format and PDF generation functionality reachable via web requests.

Server-Side Request Forgery

Frappe Erpnext

16.0.116.1.1

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A Server-Side Request Forgery vulnerability has been identified in the Print Format functionality of ERPNext and Frappe Framework. This issue allows attackers to manipulate the PDF generation process to make the server request external resources, potentially exposing sensitive internal information.

  • Server forced to fetch unwanted external data.
  • Remember: unintended server requests can leak secrets.
  • Confirm if our ERPNext or Frappe is exposed.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by submitting crafted HTML content to the Print Format functionality, which is insufficiently sanitized. The application then renders this HTML into a PDF, causing the server to fetch resources referenced in the HTML, such as from an `<iframe>` tag. This allows an attacker to direct the server to make requests to internal network resources or cloud metadata endpoints, potentially exposing sensitive information.

  • Entry Condition: No authentication or special privileges are required.
  • Trigger Point: User-supplied HTML in Print Format.
  • Resulting Risk: Sensitive information disclosure via SSRF.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to trick the ERPNext server into accessing internal network resources or cloud metadata endpoints. When generating PDFs from attacker-controlled HTML, the server fetches external resources, potentially exposing sensitive system or cloud configuration data.

  • Internal network resources.
  • Server fetches external resources.
  • Sensitive information disclosure.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Print Format functionality in ERPNext and Frappe Framework, vulnerable to SSRF, necessitates action from teams managing these applications. Initial steps should focus on asset discovery to identify all instances, followed by an assessment of their reachability and business criticality. Once accountable owners are identified, remediation plans can be developed based on the assessed risk.

  • Application owners should lead remediation.
  • Verify SSRF exposure and impact first.
  • Plan vendor coordination and patching.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ERPNext and the Frappe Framework?

ERPNext is a web-based enterprise resource planning platform used to manage business operations like accounting, HR, and inventory. It is built upon the Frappe Framework, which provides the underlying architecture and low-code tools for the application. Together, they function as a integrated system for handling data and documents, including the generation of reports and PDFs used in daily business tasks.

What does CVE-2026-31017 mean in simple terms?

This vulnerability is classified as Server-Side Request Forgery (SSRF), specifically CWE-918. It means the application fails to properly clean user-provided HTML before turning it into a PDF. Because the server blindly trusts this content, an attacker can insert code that tricks the server into making unexpected web requests. Instead of just creating a document, the server is manipulated into acting as a proxy to fetch data it should not be accessing.

How is this SSRF vulnerability triggered?

The flaw is triggered when the application's Print Format feature processes malicious HTML containing references to external resources, such as an iframe. The server automatically attempts to fetch whatever is linked within that HTML. It is important to note that this does not require an attacker to have a legitimate account or special privileges; it is exploitable through any interface that allows the submission of custom print templates.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal identifies ERPNext as a platform often deployed as an internet-facing application to support business operations. Because the Print Format functionality is a standard part of the web interface, instances exposed to the internet are considered to have a higher potential for reachability. You should prioritize assessing your environment if your application is accessible from the public web rather than restricted to internal networks.

What are the first steps to address this CVE?

Begin by performing an inventory of all ERPNext and Frappe instances within your environment to understand your footprint. Once mapped, identify which systems are internet-facing or hold critical data. Coordinate with your application owners to evaluate the current risk, monitor official vendor channels for security patches, and establish a plan to update the software to a version where the input sanitization is corrected.

References