Main Vulnerability Database SB2026041456

SB2026041456 - Improper access control in EspoCRM

Published: April 14, 2026

Security Bulletin ID SB2026041456

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: CVE-2025-32789)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the user sorting function when handling user list sorting requests. A remote user can sort users by the password column to disclose sensitive information.

The issue affects values stored in the user table, and exploitation relies on inferring other users' password hash ordering through repeated sorting.

Remediation

Install update from vendor's website.

References

https://github.com/espocrm/espocrm/security/advisories/GHSA-3ph3-jcfx-fq53