SB2026051614 - Authorization bypass through user-controlled key in EspoCRM
Published: May 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-41160)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify note pinning status without authorization.
The vulnerability exists due to improper access control in the POST /api/v1/Note/{id}/pin endpoint when handling pin requests for notes whose parent object is not editable by the requester. A remote user can send a crafted request referencing an arbitrary note ID to modify note pinning status without authorization.
The backend performs the write operation before completing the parent authorization check, so the change is persisted even though the API responds with 403 Forbidden.
Remediation
Install update from vendor's website.