CVE-2026-33534

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4

Description An authenticated Server-Side Request Forgery (SSRF) allows bypassing internal-host validation by using alternative IPv4 representations, such as octal notation. This occurs because the HostCheck::isNotInternalHost() function relies on filter var(..., FILTER VALIDATE IP), which does not recognize alternative IP formats. This causes the validation to fall through to a DNS lookup that returns no records, incorrectly treating the host as safe. Subsequently, cURL normalizes the address and connects to the loopback destination. Through the '/api/v1/Attachment/fromImageUrl' endpoint, an authenticated user can force the server to make requests to loopback-only services and store the response as an attachment, potentially allowing access to internal resources.

Recommendations Update to version 9.3.4. As a temporary workaround, restrict access to the '/api/v1/Attachment/fromImageUrl' endpoint to minimize the risk of exploitation.