Server-Side Request Forgery Vulnerability in EspoCRM by EspoCRM
CVE-2026-33659

3.5LOW

Key Information:

Vendor

Espocrm

Status
Espocrm
Vendor
CVE Published:
13 April 2026

What is CVE-2026-33659?

EspoCRM, an open-source customer relationship management application, contains a vulnerability in the POST /api/v1/Attachment/fromImageUrl endpoint that exposes it to Server-Side Request Forgery (SSRF) due to a DNS rebinding issue. This vulnerability arises from a mismatch between the hostname validation performed using dns_get_record() and the actual hostname resolution done through curl’s internal resolver, which could lead to different IP addresses for the same hostname. Moreover, when a DNS lookup fails, the validation process may incorrectly permit internal host access, which could let an authenticated attacker bypass IP restrictions, probe internal network ports, and interact with internal HTTP services. It is important to note that this vulnerability does not allow for the extraction of data from services using binary protocols or enable remote code execution via this endpoint. This vulnerability was addressed in EspoCRM version 9.3.4.

Affected Version(s)

espocrm < 9.3.4

References

https://github.com/espocrm/espocrm/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/espocrm/espocrm/commit/dca03cc3458e487...
x_refsource_MISC
https://github.com/espocrm/espocrm/releases/tag/9.3.4
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.