CVE-2026-41160
EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-284, CWE-639, CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41160 is a broken access control vulnerability in EspoCRM's note-pinning API endpoint (/api/v1/Note/{id}/pin). The root cause is a "write-first-authorize-later" design flaw in application/Espo/Tools/Stream/Api/PostNotePin.php. The process() method retrieves the note object via getNote($id) and persists the pin state change to the database before invoking the authorization check via checkParent($note). Consequently, a low-privileged user can send a POST request to pin an arbitrary note; the authorization failure is detected and a 403 Forbidden response is returned, but the database change has already committed. The vulnerability is resolved in version 9.3.5 by reordering the authorization check to occur before any data modification.
Business impact
This vulnerability enables unauthorized modification of note metadata within CRM records, potentially disrupting workflow visibility, audit trails, and team collaboration. While the integrity impact is localized to note pinning status, repeated exploitation could be used to manipulate CRM state to confuse users or hide important notes from team members. In compliance-heavy industries, unauthorized database modifications—even of seemingly minor fields—may trigger audit concerns and require forensic investigation.
Affected systems
EspoCRM versions prior to 9.3.5 are vulnerable. The flaw requires network access to the application and valid authentication (any low-privileged user account), making it exploitable in environments where CRM access is broadly distributed. Self-hosted and cloud-hosted EspoCRM deployments using affected versions are at risk.
Exploitability
Exploitation requires valid application credentials and network access to the EspoCRM API. The attack is straightforward: a low-privileged user authenticates and sends a POST request to the /api/v1/Note/{id}/pin endpoint targeting notes outside their permission scope. No special tools, social engineering, or complex techniques are required. The CVSS score of 4.3 (MEDIUM) reflects low attack complexity and no special privileges needed beyond basic user access, though impact is limited to note integrity. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Upgrade EspoCRM to version 9.3.5 or later. This patch relocates the authorization check to occur before the note state is modified, preventing the write-first-authorize-later flaw. Organizations should verify the patch version against the official EspoCRM advisory before deployment. No workarounds are available; patching is the sole remediation path.
Patch guidance
Administrators should prioritize updating to EspoCRM 9.3.5 or newer. The upgrade process should follow EspoCRM's standard release notes and deployment procedures. Test the patch in a non-production environment first to confirm compatibility with any custom extensions or integrations. After upgrading, verify that the /api/v1/Note/{id}/pin endpoint properly enforces access controls by attempting to pin a note belonging to another user's private workspace with a low-privileged test account; the request should be rejected with a 403 error before any database modification occurs.
Detection guidance
Monitor access logs and API audit trails for suspicious POST requests to /api/v1/Note/{id}/pin from low-privileged users, particularly requests targeting notes they do not own or have no edit permission for. Look for patterns of 403 Forbidden responses preceded by successful database writes (indicating the race condition). Database query logs may show UPDATE operations on the note table followed by a subsequent authorization failure in the application layer. Organizations with detailed API logging should correlate HTTP response codes with database transaction timestamps to identify exploitation attempts.
Why prioritize this
Although the CVSS score is MEDIUM (4.3), this vulnerability merits prompt patching because it demonstrates a fundamental design flaw in API security (authorization after modification) that could indicate similar issues in other EspoCRM endpoints. The low barrier to exploitation (any authenticated user) and the high likelihood that CRM environments have broad user bases make this an attractive target for disgruntled or compromised insiders. Early patching prevents accidental or intentional misuse and closes a potential audit compliance gap.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: (1) Network-accessible attack vector (AV:N); (2) Low attack complexity, no special conditions required (AC:L); (3) Low-privilege attacker (PR:L); (4) No user interaction needed (UI:N); (5) Unchanged scope (S:U); (6) No confidentiality impact (C:N); (7) Low integrity impact limited to note metadata (I:L); (8) No availability impact (A:N). The score appropriately captures the ease of exploitation and authenticated access requirement, offset by the narrow scope of impact (note pinning only) and lack of data exfiltration or denial of service.
Frequently asked questions
Can an unauthenticated user exploit this vulnerability?
No. The vulnerability requires valid EspoCRM user credentials. Attackers must be able to log in with a low-privileged account. If your CRM environment restricts account creation, the attack surface is correspondingly reduced.
Does this vulnerability allow an attacker to read or delete notes?
No. The flaw is specific to modifying the pinned status of notes. Confidentiality and availability are not affected. An attacker cannot exfiltrate data or remove notes using this vulnerability.
Are there any known public exploits for CVE-2026-41160?
As of the last update, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. However, the simplicity of the attack means exploit code could be developed quickly. Organizations should not delay patching based on the absence of public exploits.
If my EspoCRM instance uses custom API extensions, will the patch break them?
Custom extensions that rely on the old (flawed) authorization order may encounter unexpected behavior after patching. Review any custom code that interacts with note pinning logic and test thoroughly in a staging environment before production deployment.
This analysis is based on the CVE record published on 2026-05-28 and last modified 2026-06-17. Verify all patch version numbers and technical details against the official EspoCRM security advisory before implementing remediation. SEC.co does not provide exploit code or proof-of-concept instructions. This intelligence is for informational purposes; organizations must conduct their own risk assessment and testing in their specific environments. No liability is accepted for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Browse
Related vulnerabilities
- CVE-2024-27891MEDIUM
CVE-2024-27891: Arista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2025-12714MEDIUM
CVE-2025-12714: Rank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUM
CVE-2025-52766: Missing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUM
CVE-2025-53302: Missing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUM
CVE-2025-53346: Missing Authorization in ThimPress Thim Core 2.3.3 — Vulnerability Analysis
- CVE-2026-10152MEDIUM
CVE-2026-10152: Improper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10154MEDIUM
CVE-2026-10154: Dolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10172MEDIUM
CVE-2026-10172: Bdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability