CVE-2026-23697
Received Received - Intake

Authenticated File Upload RCE in Vtiger CRM

Vulnerability report for CVE-2026-23697, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. The uploaded file is stored with its original .phar extension under the web-accessible storage directory, and a misconfigured .htaccess using Apache 2.2 syntax is silently ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vtiger crm to 8.4.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-23697 is a critical authenticated file upload vulnerability in Vtiger CRM versions before 8.4.0. It allows low-privileged users to upload a .phar file containing arbitrary PHP code through the Documents module. This bypasses the extension denylist in the configuration, which does not block the .phar extension.

The uploaded .phar file is stored with its original extension in a web-accessible storage directory. A misconfigured .htaccess file using outdated Apache 2.2 syntax is ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to execute the uploaded PHP code directly.

This combination of issues enables an attacker with low-level authenticated access to execute arbitrary commands on the server, potentially gaining control over the system.

Impact Analysis

This vulnerability can lead to remote code execution on the server hosting Vtiger CRM, allowing attackers to run arbitrary PHP code with the privileges of the web server user.

Post-exploitation, attackers may access sensitive data such as MySQL root credentials and API keys for all CRM users, potentially compromising the entire CRM system and its data.

The impact includes full system compromise, data theft, unauthorized access to customer information, and disruption of CRM services.

Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded .phar files in the web-accessible storage directory of Vtiger CRM, especially within the Documents module upload area.

Additionally, verifying if the .htaccess file in the storage directory uses Apache 2.2 syntax (such as "deny from all") which is ignored on Apache 2.4 deployments without the mod_access_compat module can help identify misconfiguration.

Commands to assist detection include:

  • Find .phar files in the storage directory: `find /path/to/vtiger/storage -type f -name "*.phar"`
  • Check the contents of the .htaccess file in the storage directory: `cat /path/to/vtiger/storage/.htaccess`
  • Verify Apache version and loaded modules to confirm if mod_access_compat is enabled: `apachectl -M | grep access_compat` and `apachectl -v`
  • Check for enabled directory listing in the storage directory by reviewing Apache configuration or attempting to access the directory via HTTP.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Vtiger CRM to version 8.4.0 or later, where this vulnerability is fixed.
  • Modify the extension denylist in config.inc.php to explicitly block the .phar extension to prevent uploading of such files.
  • Correct the .htaccess file in the storage directory to use Apache 2.4 compatible syntax or ensure the mod_access_compat module is enabled to enforce access restrictions.
  • Disable directory listing in the storage directory to prevent attackers from discovering uploaded files.
  • Review and restrict user permissions to limit low-privileged users' ability to upload files.
Compliance Impact

This vulnerability allows authenticated low-privileged users to execute arbitrary code on the server, potentially leading to unauthorized access to sensitive data such as MySQL root credentials and API keys for all CRM users.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access and disclosure.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of sensitive data, undermining compliance with these common standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart