CVE-2026-33740— EspoCRM: Email importEml can import and delete another user's attachment by raw fileId

EspoCRM: Email importEml can import and delete another user's attachment by raw fileId

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

通过用户控制密钥绕过授权机制

EspoCRM 安全漏洞

EspoCRM是EspoCRM开源的一套开源的基于Web的客户关系管理系统（CRM）。该系统提供销售自动化、社区和客户支持等功能。 EspoCRM 9.3.3及之前版本存在安全漏洞，该漏洞源于POST /api/v1/Email/importEml端点未验证用户对附件文件的访问权限，可能导致不安全的直接对象引用攻击。

N/A

N/A