Compliance Impact

The vulnerability allows unauthorized access to sensitive personal and internal information by bypassing access control checks. This unauthorized data exposure can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Specifically, since an authenticated user with limited permissions can extract all field values of entities like Contacts, Leads, Accounts, or Users without proper authorization, this could result in a breach of confidentiality obligations mandated by these standards.

Therefore, until the vulnerability is patched (in version 9.3.5), affected EspoCRM installations risk violating compliance requirements related to data privacy and access control.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41141 is an Insecure Direct Object Reference (IDOR) vulnerability in EspoCRM, specifically in the /api/v1/EmailTemplate/:id/prepare endpoint.

This endpoint accepts an emailAddress parameter and resolves the owning entity (such as Contact, Lead, Account, or User) without performing an access control list (ACL) check.

As a result, an authenticated user with EmailTemplate read permission can bypass ACL restrictions like "read: own" or "read: team" and extract all field values of any entity by supplying the target's email address.

The vulnerability occurs because when an email address is provided, the system retrieves the associated entity and includes it in the template rendering context without verifying the user's permissions.

This allows attackers to access sensitive information such as personal details, internal notes, and custom field values.

The issue is fixed in EspoCRM version 9.3.5.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in EspoCRM.

An attacker with EmailTemplate read permission can extract all field values of any entity (Contacts, Leads, Accounts, or Users) by supplying their email address, bypassing ACL restrictions.

The exposed data may include personal details, internal notes, and custom fields, which could lead to privacy violations, data leaks, and potential misuse of confidential information.

The vulnerability has a moderate severity with a CVSS score of 6.5, mainly due to its high confidentiality impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /api/v1/EmailTemplate/:id/prepare endpoint of EspoCRM for unauthorized data access when supplying the emailAddress parameter.

An authenticated user with EmailTemplate read permission can attempt to supply different email addresses to the endpoint and observe if sensitive entity data (such as Contact, Lead, Account, or User fields) is returned without proper ACL checks.

A possible command using curl to test this could be:

• curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"emailAddress": "[email protected]"}' https://<espocrm-domain>/api/v1/EmailTemplate/<template_id>/prepare

If the response contains detailed fields of the entity associated with the email address without proper access restrictions, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update EspoCRM to version 9.3.5 or later, where the issue has been fixed.

Until the update can be applied, restrict access to the /api/v1/EmailTemplate/:id/prepare endpoint to only trusted users and monitor usage closely.

Additionally, review and limit EmailTemplate read permissions to only necessary users to reduce the risk of exploitation.

Useful 0 Not Useful 0