CVE-2026-41141
Email Template ACL Bypass in EspoCRM
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espocrm | espocrm | 9.3.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41141 is an Insecure Direct Object Reference (IDOR) vulnerability in EspoCRM, specifically in the /api/v1/EmailTemplate/:id/prepare endpoint.
This endpoint accepts an emailAddress parameter and resolves the owning entity (such as Contact, Lead, Account, or User) without performing an access control list (ACL) check.
As a result, an authenticated user with EmailTemplate read permission can bypass ACL restrictions like "read: own" or "read: team" and extract all field values of any entity by supplying the target's email address.
The vulnerability occurs because when an email address is provided, the system retrieves the associated entity and includes it in the template rendering context without verifying the user's permissions.
This allows attackers to access sensitive information such as personal details, internal notes, and custom field values.
The issue is fixed in EspoCRM version 9.3.5.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored in EspoCRM.
An attacker with EmailTemplate read permission can extract all field values of any entity (Contacts, Leads, Accounts, or Users) by supplying their email address, bypassing ACL restrictions.
The exposed data may include personal details, internal notes, and custom fields, which could lead to privacy violations, data leaks, and potential misuse of confidential information.
The vulnerability has a moderate severity with a CVSS score of 6.5, mainly due to its high confidentiality impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /api/v1/EmailTemplate/:id/prepare endpoint of EspoCRM for unauthorized data access when supplying the emailAddress parameter.
An authenticated user with EmailTemplate read permission can attempt to supply different email addresses to the endpoint and observe if sensitive entity data (such as Contact, Lead, Account, or User fields) is returned without proper ACL checks.
A possible command using curl to test this could be:
- curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"emailAddress": "[email protected]"}' https://<espocrm-domain>/api/v1/EmailTemplate/<template_id>/prepare
If the response contains detailed fields of the entity associated with the email address without proper access restrictions, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to update EspoCRM to version 9.3.5 or later, where the issue has been fixed.
Until the update can be applied, restrict access to the /api/v1/EmailTemplate/:id/prepare endpoint to only trusted users and monitor usage closely.
Additionally, review and limit EmailTemplate read permissions to only necessary users to reduce the risk of exploitation.