From 03ac40c2f84c52696a856f673c4ee081757121ed Mon Sep 17 00:00:00 2001
From: Oswin Alex <oswin.alex@mple.ai>
Date: Wed, 21 Jan 2026 02:22:41 +0530
Subject: [PATCH 1/3] fix: oauth2 refresh_token grant yields 403 forbidden

---
 frappe/oauth.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/frappe/oauth.py b/frappe/oauth.py
index 098e17a009..a074709a6c 100644
--- a/frappe/oauth.py
+++ b/frappe/oauth.py
@@ -253,7 +253,9 @@ class OAuthWebRequestValidator(RequestValidator):
 		# return its scopes, these will be passed on to the refreshed
 		# access token if the client did not specify a scope during the
 		# request.
-		obearer_token = frappe.get_doc("OAuth Bearer Token", {"refresh_token": refresh_token})
+		obearer_token = frappe.get_doc(
+			"OAuth Bearer Token", {"refresh_token": refresh_token}, ignore_permissions=True
+		)
 		return obearer_token.scopes
 
 	def revoke_token(self, token, token_type_hint, request, *args, **kwargs):
@@ -291,11 +293,17 @@ class OAuthWebRequestValidator(RequestValidator):
 		- Refresh Token Grant
 		"""
 
-		otoken = frappe.get_doc("OAuth Bearer Token", {"refresh_token": refresh_token, "status": "Active"})
+		otoken = frappe.get_doc(
+			"OAuth Bearer Token",
+			{"refresh_token": refresh_token, "status": "Active"},
+			ignore_permissions=True,
+		)
 
 		if not otoken:
 			return False
 		else:
+			# Set request.user to the user associated with the refresh token
+			request.user = otoken.user
 			return True
 
 	# OpenID Connect

From deb4ae4e65eae7fec753f695385107a0518c6518 Mon Sep 17 00:00:00 2001
From: Alexoswin <oswin.alex@mple.ai>
Date: Wed, 21 Jan 2026 18:06:55 +0530
Subject: [PATCH 2/3] fix(security): require WeasyPrint >= 68.0 to address
 CVE-2025-68616

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 5eb94c3b44..66d7b3e14c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,7 +26,7 @@ dependencies = [
     "PyQRCode~=1.2.1",
     "PyYAML~=6.0.3",
     "RestrictedPython~=8.1",
-    "WeasyPrint==66.0",
+    "WeasyPrint>=68.0",
     "pydyf==0.12.1",
     "Werkzeug==3.1.5",
     "Whoosh~=2.7.4",

From d4293fd3e7907b65871d9a47f325986cdc161204 Mon Sep 17 00:00:00 2001
From: Oswin Alex <oswin.alex@mple.ai>
Date: Wed, 28 Jan 2026 20:38:12 +0530
Subject: [PATCH 3/3] Revert "fix(security): require WeasyPrint >= 68.0 to
 address CVE-2025-68616"

This reverts commit deb4ae4e65eae7fec753f695385107a0518c6518.
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 66d7b3e14c..5eb94c3b44 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,7 +26,7 @@ dependencies = [
     "PyQRCode~=1.2.1",
     "PyYAML~=6.0.3",
     "RestrictedPython~=8.1",
-    "WeasyPrint>=68.0",
+    "WeasyPrint==66.0",
     "pydyf==0.12.1",
     "Werkzeug==3.1.5",
     "Whoosh~=2.7.4",