SB2026041457 - Multiple vulnerabilities in EspoCRM
Published: April 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33740)
The vulnerability allows a remote user to disclose sensitive information and delete another user's attachment record.
The vulnerability exists due to improper access control in the POST /api/v1/Email/importEml endpoint and ImportEmlService attachment lookup when processing an attacker-controlled fileId. A remote user can supply a raw fileId referencing another user's .eml attachment to disclose sensitive information and delete another user's attachment record.
Exploitation requires Email:create and Import permissions, and the attacker must know or obtain the target attachment ID.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33659)
The vulnerability allows a remote user to access internal network services and disclose limited information.
The vulnerability exists due to server-side request forgery in the POST /api/v1/Attachment/fromImageUrl endpoint when fetching a user-supplied image URL. A remote user can supply a hostname that passes validation but resolves differently at connection time to access internal network services and disclose limited information.
User interaction is not required, and exploitation requires attachment creation access.
3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2026-33657)
The vulnerability allows a remote user to inject arbitrary HTML into system-generated email notifications.
The vulnerability exists due to improper neutralization of HTML content in email notification templates when rendering Markdown-derived stream note content. A remote user can submit a specially crafted stream note to inject arbitrary HTML into system-generated email notifications.
User interaction is required to open the email notification, and the @mention feature enables targeted delivery to specific users.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33534)
The vulnerability allows a remote user to make requests to internal resources and disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in the /api/v1/Attachment/fromImageUrl endpoint when processing a user-supplied image URL containing an alternative IPv4 representation. A remote user can send a specially crafted request using octal IPv4 notation to make requests to internal resources and disclose sensitive information.
In the confirmed flow, the fetched response is stored as an attachment.
Remediation
Install update from vendor's website.
References
- https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w
- https://github.com/advisories/GHSA-wr7j-hxf8-hc4w
- https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7
- https://github.com/advisories/GHSA-6m4j-fwrx-crh7
- https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574
- https://github.com/advisories/GHSA-8prm-r5j9-j574
- https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73
- https://github.com/advisories/GHSA-h7gx-8gwv-7g73