CVE-2026-33659
Received Received - Intake
SSRF Vulnerability in EspoCRM Attachment API Enables Internal Network Access

Publication date: 2026-04-13

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33659
EUVD
EUVD-2026-22083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
espocrm espocrm to 9.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in EspoCRM versions 9.3.3 and below exists in the POST /api/v1/Attachment/fromImageUrl endpoint, which is susceptible to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition.

The issue arises because host validation uses dns_get_record() to verify the hostname, but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()). These two methods can return different IP addresses for the same hostname, allowing an attacker to bypass host validation.

Additionally, if the DNS lookup returns an empty result (due to DNS failure, IPv6-only domains, or non-existent hostnames), the validation implicitly allows the host without further checks.

An authenticated attacker with default attachment creation access can exploit this to bypass internal IP restrictions, scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services.

However, the vulnerability does not allow data extraction from binary protocol services or remote code execution through this endpoint.

This vulnerability was fixed in EspoCRM version 9.3.4.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow an authenticated attacker with attachment creation access to bypass internal IP restrictions.

The attacker can scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services.

While the vulnerability does not permit remote code execution or data extraction from binary protocol services, it can still expose internal network information and services that are otherwise protected.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade EspoCRM to version 9.3.4 or later, where the issue has been fixed.

Detection Guidance

Detection of CVE-2026-33659 involves monitoring and testing the POST /api/v1/Attachment/fromImageUrl endpoint for Server-Side Request Forgery (SSRF) attempts exploiting DNS rebinding.

One practical approach is to perform authenticated requests to this endpoint with URLs pointing to attacker-controlled domains that initially resolve to a public IP and then change to internal IPs, observing if internal network access or error responses indicating internal interaction occur.

Since the vulnerability arises from inconsistent DNS resolution between dns_get_record() and curl's internal resolver, commands or scripts that simulate DNS rebinding attacks can be used to detect it.

Suggested commands include using curl to send POST requests with crafted URLs to the vulnerable endpoint, for example:

  • curl -X POST -H "Authorization: Bearer <token>" -d '{"url":"http://attacker-controlled-domain/image.jpg"}' https://<espocrm-host>/api/v1/Attachment/fromImageUrl

By controlling the DNS records of attacker-controlled-domain to switch from a public IP to an internal IP after validation, you can observe if the server attempts to access internal IPs, indicated by specific error responses such as HTTP 500 with headers related to bad image data.

Additionally, network monitoring tools can be used to detect unexpected outbound requests from the EspoCRM server to internal IP addresses triggered by such requests.

No specific built-in commands or automated detection scripts are provided in the resources, but the described method of authenticated POST requests combined with DNS rebinding manipulation and network traffic analysis is the recommended detection approach.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart