CVE-2026-33534
Authenticated SSRF in EspoCRM Allows Internal Host Bypass
Publication date: 2026-04-13
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espocrm | espocrm | to 9.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to bypass internal-host validation and make the server perform requests to internal loopback services that are normally inaccessible externally.
By exploiting this, an attacker could potentially access sensitive internal resources or services that are only reachable from the application runtime environment.
The attacker can also store the fetched internal responses as attachments, which might lead to unauthorized data exposure or further exploitation.
Can you explain this vulnerability to me?
This vulnerability affects EspoCRM versions 9.3.3 and below and is an authenticated Server-Side Request Forgery (SSRF) issue. It allows an attacker who is authenticated to bypass the internal-host validation by using alternative IPv4 address formats, such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1).
The root cause is that the function HostCheck::isNotInternalHost() relies on PHP's filter_var function with FILTER_VALIDATE_IP, which does not recognize these alternative IP formats. This causes the validation to fail and fall back to a DNS lookup that returns no records, mistakenly treating the host as safe. However, when cURL normalizes the address, it connects to the loopback address (internal host).
An authenticated user can exploit this via the /api/v1/Attachment/fromImageUrl endpoint to force the server to make requests to loopback-only services and store the response as an attachment. This may allow access to internal resources accessible from the application runtime.
This vulnerability is distinct from CVE-2023-46736, which involved redirect-based SSRF, and it has been fixed in EspoCRM version 9.3.4.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for authenticated requests to the /api/v1/Attachment/fromImageUrl endpoint that include URLs using alternative IPv4 notations such as octal representation (e.g., 0177.0.0.1 instead of 127.0.0.1).
You can check your server logs or network traffic for HTTP POST requests to this endpoint containing URLs with unusual IP formats that bypass normal internal-host validation.
For example, you might use commands like the following to search logs for suspicious requests:
- grep -i 'POST /api/v1/Attachment/fromImageUrl' /var/log/apache2/access.log | grep -E '0177\.0\.0\.1|0x7f\.0\.0\.1'
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '0177.0.0.1'
These commands help identify attempts to exploit the SSRF by using alternative IP notations in requests to the vulnerable API endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade EspoCRM to version 9.3.4 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the /api/v1/Attachment/fromImageUrl endpoint to trusted users only, as the vulnerability requires authentication.
Additionally, monitor and block requests containing alternative IPv4 notations such as octal IP addresses in URLs to prevent exploitation.
Consider implementing network-level controls to restrict server-side requests to internal-only services from the EspoCRM server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33534 is an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing internal-host validation and accessing internal services. This could potentially expose sensitive internal resources by storing fetched responses as attachments.
Such unauthorized access to internal services and potential exposure of sensitive data may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.
However, the provided information does not explicitly discuss compliance implications or specific impacts on these regulations.