SB2026041456 - Improper access control in EspoCRM
Published: April 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2025-32789)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the user sorting function when handling user list sorting requests. A remote user can sort users by the password column to disclose sensitive information.
The issue affects values stored in the user table, and exploitation relies on inferring other users' password hash ordering through repeated sorting.
Remediation
Install update from vendor's website.