CVE-2026-33740
IDOR Vulnerability in EspoCRM Email Attachment Import Allows Data Exposure
Publication date: 2026-04-13
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espocrm | espocrm | to 9.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in EspoCRM versions 9.3.3 and below, specifically in the POST /api/v1/Email/importEml endpoint. It is an Insecure Direct Object Reference (IDOR) issue where the attacker can supply a fileId parameter to fetch any email attachment directly from the repository without proper authorization checks.
Any authenticated user with Email:create and Import permissions can exploit this vulnerability to read another user's .eml attachment contents by importing them as a new email into their own mailbox. Additionally, the original victim's attachment record is deleted as a side effect of this import process.
This behavior is inconsistent with the standard attachment download path, which enforces access control checks before returning file data. The vulnerability is practically exploitable because attachment IDs are commonly exposed in normal user interface and API workflows, such as stream payloads and download links.
The issue was fixed in EspoCRM version 9.3.4.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with certain permissions to access and read email attachments belonging to other users without proper authorization.
This unauthorized access can lead to exposure of sensitive or confidential information contained within email attachments.
Additionally, the original attachment record is deleted as a side effect, which could result in data loss or disruption of normal email workflows.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in EspoCRM version 9.3.4. Immediate mitigation involves upgrading EspoCRM to version 9.3.4 or later.
Until the upgrade can be performed, restrict or review user permissions, especially the Email:create and Import permissions, to limit the ability of authenticated users to exploit the IDOR vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with certain permissions to access and import email attachments belonging to other users without proper authorization checks. This unauthorized access to potentially sensitive email attachments could lead to exposure of personal or confidential data.
Such unauthorized data access and potential data leakage may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect user privacy and data security.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.