CVE-2026-41141
EspoCRM versions before 9.3.5 contain an access control bypass in the email template preparation endpoint. An authenticated user with basic EmailTemplate read permissions can extract sensitive field data from any Contact, Lead, Account, or User record by providing the target's email address—effectively circumventing role-based visibility restrictions. This allows lower-privileged users to read information they should not have access to, such as financial details, personal fields, or team-restricted records.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The POST /api/v1/EmailTemplate/:id/prepare endpoint in EspoCRM resolves entity ownership from an emailAddress parameter without validating Access Control List (ACL) restrictions on the resolved record. While the endpoint correctly enforces EmailTemplate read permissions, it bypasses the read: own and read: team ACL checks on the target entity itself. An authenticated attacker can supply any email address associated with a Contact, Lead, Account, or User to retrieve all field values of that entity, regardless of role-based access policies. The vulnerability stems from missing authorization checks at the entity resolution layer.
Business impact
This vulnerability enables unauthorized information disclosure within CRM deployments. Sales or support staff with limited access could extract confidential account data, prospect intelligence, or internal user information beyond their organizational role. In multi-tenant or highly segmented CRM environments, this could expose sensitive customer data, competitive information, or employee records. The breach of data confidentiality may trigger compliance violations (GDPR, HIPAA, SOC 2) and erode customer trust. However, data integrity and availability remain unaffected, limiting immediate operational disruption.
Affected systems
EspoCRM versions prior to 9.3.5 are vulnerable. The open-source CRM application is commonly self-hosted by small to mid-sized organizations, resellers, and service providers. Any instance running an unpatched version with authenticated users is at risk.
Exploitability
Exploitation requires valid authentication credentials and EmailTemplate read permission—a low privilege level in most CRM role models. The attack is trivial to execute via standard HTTP tools or the REST API; no user interaction is needed. An attacker need only know or enumerate email addresses of target entities, which are often discoverable or publicly listed. The attack succeeds over the network and is repeatable at scale, making it practical for data harvesting. The CVSS score of 6.5 (Medium) reflects the low attack complexity and lack of prerequisites, offset by the requirement for prior authentication.
Remediation
Upgrade EspoCRM to version 9.3.5 or later. The patch enforces proper ACL validation on entity resolution within the email template endpoint, ensuring that users can only access records they are authorized to read. Organizations unable to upgrade immediately should restrict EmailTemplate read permissions to trusted roles and implement network-level access controls to the email template API endpoints.
Patch guidance
Update EspoCRM to 9.3.5 or newer via the vendor's official release channels. Verify the update through the admin panel (Settings > System > About) or package manager. Test the patch in a staging environment before production deployment to confirm no workflow or integration breakage. Review which users hold EmailTemplate read permissions post-patch and align with least-privilege principles.
Detection guidance
Monitor API access logs for repeated POST requests to /api/v1/EmailTemplate/:id/prepare with diverse emailAddress parameter values, particularly from lower-privileged accounts. Alert on attempts to access email template endpoints from unusual source IPs or outside business hours. Review audit logs for bulk template preparations targeting high-value entities (executive accounts, VIP customers). Implement query logging on the ORM layer to detect entity resolution without matching ACL queries. Baseline expected API call patterns and flag anomalies.
Why prioritize this
Although rated CVSS Medium, this vulnerability should be prioritized for patching due to its low exploitation barrier and high business sensitivity. Authenticated users are plentiful in most CRM deployments, EmailTemplate read permissions are commonly granted, and email addresses are easy to obtain. The confidentiality impact is direct and measurable. Organizations in regulated industries (finance, healthcare, legal) or with sensitive customer data should treat this as a priority patch.
Risk score, explained
CVSS 3.1 6.5 (Medium) reflects: Network attack surface (AV:N), low attack complexity (AC:L), requirement for valid credentials (PR:L), no user interaction (UI:N), and confidentiality impact (C:H) confined to the target scope (S:U) with no integrity or availability impact. The score appropriately weights the ease of exploitation against the authentication prerequisite. However, contextual factors—such as the prevalence of CRM data sensitivity and the trivial nature of the attack—may justify treating this as high-priority in your risk model.
Frequently asked questions
Can an attacker access data from entities they should be able to read normally?
No. The vulnerability only bypasses ACL checks when using the email template endpoint. Accessing the same entity through standard API endpoints remains governed by normal ACL rules. The bug is specific to the entity resolution logic in the /prepare endpoint.
Does this vulnerability allow modification or deletion of records?
No. The attack is read-only. The endpoint does not accept parameters to modify or delete data, only to extract field values. Integrity of records is not at risk.
What if our EspoCRM instance has no external network access?
Internal-only deployment reduces the attack surface but does not eliminate risk. Insider threats, compromised admin accounts, or lateral movement from other breached systems could exploit this. Patching is still recommended to maintain security posture.
Do we need to rotate customer data or notify regulators?
Not solely due to this vulnerability's existence. However, if you have reason to believe the vulnerability was exploited (via log evidence), consult your legal and compliance teams on breach notification obligations under applicable regulations.
This analysis is provided for informational purposes and reflects the state of publicly available information as of the publication date. The absence of CVE inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog does not guarantee absence of active exploitation. Verify all patch version numbers and availability against the official EspoCRM release notes and security advisories before deployment. Organizations should conduct their own risk assessment and testing in staging environments. SEC.co disclaims liability for damages arising from reliance on this guidance or delayed patching decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Browse
Related vulnerabilities
- CVE-2026-10154MEDIUM
CVE-2026-10154: Dolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUM
CVE-2026-10212: AstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUM
CVE-2026-10597: OMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-23638MEDIUM
CVE-2026-23638: Kiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUM
CVE-2026-24753: Kiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUM
CVE-2026-24755 Kiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUM
CVE-2026-24756: Kiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-3173MEDIUM
CVE-2026-3173: WordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability