Insecure Direct Object Reference in EspoCRM Open Source CRM Application
CVE-2026-33740

5.4MEDIUM

Key Information:

Vendor

Espocrm

Status
Espocrm
Vendor
CVE Published:
13 April 2026

What is CVE-2026-33740?

EspoCRM, an open source customer relationship management application, suffers from an Insecure Direct Object Reference vulnerability in its Email import functionality. Specifically, the vulnerability exists in the POST /api/v1/Email/importEml endpoint, where the attacker can exploit the fileId parameter to retrieve any user's .eml attachment without verifying access rights. This allows any authenticated user with the appropriate permissions to read other users' email contents by importing them into their own mailbox, leading to unauthorized data exposure. The exploitation is facilitated by the frequent visibility of attachment IDs, which can be accessed through standard user interface and API workflows. The issue has been addressed in version 9.3.4.

Affected Version(s)

espocrm < 9.3.4

References

https://github.com/espocrm/espocrm/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5...
x_refsource_MISC
https://github.com/espocrm/espocrm/releases/tag/9.3.4
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.