CVE-2026-33656
Awaiting Analysis Awaiting Analysis - Queue

Path Traversal via Attachment sourceId in EspoCRM Formula Engine

Vulnerability report for CVE-2026-33656, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-07-06
AI Q&A
2026-04-23
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
espocrm espocrm to 9.3.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in EspoCRM versions prior to 9.3.4. It involves the built-in formula scripting engine that allows an authenticated admin user to overwrite the sourceId field on Attachment entities.

Because the sourceId value is concatenated directly into a file path without any sanitization in the EspoUploadDir::getFilePath() function, an attacker can manipulate this to redirect file read or write operations to arbitrary paths within the web server's open_basedir scope.

This means an attacker with admin privileges can potentially access or modify files outside the intended directories, leading to serious security risks.

Impact Analysis

The vulnerability can have severe impacts including unauthorized reading or writing of files within the web server's allowed directory scope.

  • Confidential data exposure by reading sensitive files.
  • Data integrity compromise by overwriting or modifying files.
  • Potential for further exploitation by manipulating files critical to the application or server.

Overall, it can lead to a complete compromise of confidentiality, integrity, and availability of the affected system.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade EspoCRM to version 9.3.4 or later, as this version fixes the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33656. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart