How to fix CVE-2020-37094?

Within 24 hours: Immediately audit access logs for suspicious authentication patterns and take affected EspoCRM instances offline or restrict network access if they handle sensitive data. Within 7 days: Implement compensating controls (WAF rules blocking header manipulation, network segmentation isolating EspoCRM) and deploy a reverse proxy to enforce strict header validation. Within 30 days: Upgrade to a patched EspoCRM version when available, or migrate to an alternative CRM solution if vendor patches remain unavailable.

Is Espocrm affected by CVE-2020-37094?

EspoCRM instances running version 5.8.5 face a critical authentication bypass vulnerability (CVSS 9.8) that allows attackers to impersonate any user account by manipulating HTTP headers.

CVE-2020-37094

CRITICAL

2026-02-03 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Mar 03, 2026 - 14:59 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 22:16 nvd

CRITICAL 9.8

Description

EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges.

Analysis

EspoCRM 5.8.5 has an authentication vulnerability allowing attackers to access other user accounts through IDOR in session handling.

Technical Context

EspoCRM 5.8.5 has a CWE-639 authorization bypass through user-controlled keys that allows attackers to manipulate session identifiers and access other users' accounts.

Affected Products

['EspoCRM 5.8.5']

Remediation

Update EspoCRM. Implement proper session validation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +49

POC: +20

CVE-2020-37094 vulnerability details – vuln.today

Back

CVE-2020-37094

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2020-37094

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code