PT-2026-32522 · Espocrm · Espocrm

Yurikuzn

Published

2026-04-13

Updated

2026-04-14

CVE-2026-33740

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4

Description An Insecure Direct Object Reference (IDOR) exists in the '/api/v1/Email/importEml' endpoint. The fileId parameter is used to fetch attachments from the repository without verifying if the current user is authorized to access them. Authenticated users with Email:create and Import permissions can read other users' .eml attachment contents by importing them into their own mailbox, which also results in the deletion of the original attachment record.

Recommendations Update to version 9.3.4. As a temporary workaround, restrict access to the '/api/v1/Email/importEml' endpoint.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-33740

Affected Products

Espocrm

PT-2026-32522 · Espocrm · Espocrm

CVE-2026-33740

Weakness Enumeration

Related Identifiers

Affected Products

References · 6