Description

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.

INFO

Published Date :

2026-04-13T20:37:28.831Z

Last Modified :

2026-04-14T15:50:45.744Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33740 vulnerability.

Vendors Products
Espocrm
  • Espocrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33740.

URL Resource
https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f cve-icon cve-icon
https://github.com/espocrm/espocrm/releases/tag/9.3.4 cve-icon cve-icon
https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact