What is the CVSS score of CVE-2020-37094?

CVE-2020-37094 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Espocrm are affected by CVE-2020-37094?

EspoCRM instances running version 5.8.5 face a critical authentication bypass vulnerability (CVSS 9.8) that allows attackers to impersonate any user account by manipulating HTTP headers.

Is there a public PoC exploit available for CVE-2020-37094?

Yes, a public proof-of-concept exploit is available for CVE-2020-37094. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2020-37094?

Within 24 hours: Immediately audit access logs for suspicious authentication patterns and take affected EspoCRM instances offline or restrict network access if they handle sensitive data. Within 7 days: Implement compensating controls (WAF rules blocking header manipulation, network segmentation isolating EspoCRM) and deploy a reverse proxy to enforce strict header validation. Within 30 days: Upgrade to a patched EspoCRM version when available, or migrate to an alternative CRM solution if vendor patches remain unavailable.

Espocrm CVE-2020-37094

CRITICAL

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-02-03 disclosure@vulncheck.com

Authentication Bypass Espocrm

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Mar 03, 2026 - 14:59 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 22:16 nvd

CRITICAL 9.8

DescriptionNVD

EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges.

AnalysisAI

EspoCRM 5.8.5 has an authentication vulnerability allowing attackers to access other user accounts through IDOR in session handling.

Technical ContextAI

EspoCRM 5.8.5 has a CWE-639 authorization bypass through user-controlled keys that allows attackers to manipulate session identifiers and access other users' accounts.

RemediationAI

Update EspoCRM. Implement proper session validation.

CVE-2020-37094 vulnerability details – vuln.today

Back

Espocrm CVE-2020-37094

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code