Skip to main content

EspoCRM CVE-2026-41141

| EUVDEUVD-2026-32947 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-28 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 28, 2026 - 18:02 EUVD
Analysis Generated
May 28, 2026 - 17:27 vuln.today

DescriptionGitHub Advisory

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5.

AnalysisAI

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.

Technical ContextAI

EspoCRM implements role-based ACL policies including read:own (user can only read records they own) and read:team (user can only read records within their team). CWE-639 (Authorization Through User-Controlled Key) describes the root cause: the EmailTemplate prepare endpoint accepts a user-supplied emailAddress parameter and uses it as a lookup key to resolve the owning entity from any of four entity types (Contact, Lead, Account, User) without invoking the ACL layer. This means the authorization decision is effectively delegated to attacker-controlled input rather than a server-enforced permission check. The affected CPE is cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*, indicating all releases of the EspoCRM application up to the patched version are in scope. The vulnerability resides specifically in the entity-resolution logic of the email template preparation API rather than in EspoCRM's ACL engine itself, which functions correctly in other contexts.

RemediationAI

Upgrade EspoCRM to version 9.3.5 or later, which is the vendor-released patch that introduces proper ACL enforcement on the EmailTemplate prepare endpoint; the advisory is published at https://github.com/espocrm/espocrm/security/advisories/GHSA-vvmh-mf4h-96hw. If immediate upgrade is not feasible, a targeted compensating control is to revoke EmailTemplate read permissions from any role that operates under read:own or read:team ACL restrictions - this removes access to the vulnerable endpoint but will break legitimate email template preview functionality for those roles, which may be an acceptable trade-off in sensitive deployments. A second compensating control is to restrict access to the /api/v1/EmailTemplate/:id/prepare path at the network perimeter or via WAF rules for untrusted or externally-facing network segments; note this may disrupt internal users relying on template previews. Neither workaround addresses the root cause and both carry functional side effects - patching to 9.3.5 remains the definitive fix.

CVE-2014-7985 CRITICAL POC
10.0 Oct 31

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local

CVE-2026-33656 CRITICAL POC
9.1 Apr 22

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/

CVE-2022-38843 HIGH POC
8.8 Sep 16

EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any ext

CVE-2019-14351 HIGH POC
8.8 Jul 28

EspoCRM 5.6.4 is vulnerable to user password hash enumeration. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-37094 HIGH POC
8.6 Feb 03

Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization a

CVE-2022-38844 HIGH POC
8.0 Sep 16

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating

CVE-2026-33733 HIGH POC
7.2 Apr 22

Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or d

CVE-2026-33741 MEDIUM POC
6.8 May 19

Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript

CVE-2023-46736 MEDIUM POC
6.5 Dec 05

EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulner

CVE-2022-38845 MEDIUM POC
6.1 Sep 16

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s brow

CVE-2019-14350 MEDIUM POC
6.1 Jul 28

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. Rated m

CVE-2019-14349 MEDIUM POC
6.1 Jul 28

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document

Share

CVE-2026-41141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy