{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33740", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-04-13T20:37:28.831Z", "dateUpdated": "2026-04-14T15:50:45.744Z"}, "containers": {"cna": {"title": "EspoCRM: Email importEml can import and delete another user's attachment by raw fileId", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w"}, {"name": "https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f", "tags": ["x_refsource_MISC"], "url": "https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f"}, {"name": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4"}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"version": "< 9.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:37:28.831Z"}, "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4."}], "source": {"advisory": "GHSA-wr7j-hxf8-hc4w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:50:34.616765Z", "id": "CVE-2026-33740", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:50:45.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33740", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:50:34.616765Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:50:41.690Z"}}], "cna": {"title": "EspoCRM: Email importEml can import and delete another user's attachment by raw fileId", "source": {"advisory": "GHSA-wr7j-hxf8-hc4w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"status": "affected", "version": "< 9.3.4"}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w", "name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f", "name": "https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "name": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:37:28.831Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33740", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:50:45.744Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T20:37:28.831Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4."}], "id": "CVE-2026-33740", "lastModified": "2026-04-13T21:16:25.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:25.007", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f"}, {"source": "security-advisories@github.com", "url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "espocrm", "source": "cna", "vendor": "espocrm"}, "product": "espocrm", "vendor": "espocrm"}], "analysis": {"en": {"generated_at": "2026-04-13T22:25:57.371537+00:00", "value": {"mitigation_remediation": ["Apply the 9.3.4 patch or later immediately.", "If patching cannot be done promptly, restrict the Email:create and Import permissions to trusted users or disable the importEml endpoint until the vulnerability is fixed.", "Verify that the IDOR is no longer present by attempting to access another user\u2019s attachment ID with the same permissions after applying the fix."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access and deletion of other users\u2019 attachments"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in EspoCRM versions 9.3.3 and earlier. Version 9.3.4 and later contain a fix that enforces proper access control on attachment retrieval.", "description_and_impact": "EspoCRM contains an IDOR flaw in the POST /api/v1/Email/importEml endpoint that allows any authenticated user with Email:create and Import permissions to provide a fileId and read the contents of another user\u2019s .eml attachment. The endpoint also deletes the original attachment record as part of the import flow, which violates the standard permission checks applied to attachment download. This results in confidential data exposure and accidental loss of attachment data for the victim.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. Exploitation requires a legitimate Authenticated user who has the Email:create and Import permissions, which limits the attack surface to users with those rights. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. However, attachment IDs are frequently exposed in normal UI and API workflows, making the IDOR practically exploitable for users who meet the permission criteria."}}}}, "created": "2026-04-14T16:18:12.054281+00:00", "updated": "2026-04-14T16:33:19.042930+00:00", "vendors": ["espocrm", "espocrm$PRODUCT$espocrm"]}