Main Vulnerability Database SB2026051614

SB2026051614 - Authorization bypass through user-controlled key in EspoCRM

Published: May 16, 2026

Security Bulletin ID SB2026051614

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-41160)

The vulnerability allows a remote user to modify note pinning status without authorization.

The vulnerability exists due to improper access control in the POST /api/v1/Note/{id}/pin endpoint when handling pin requests for notes whose parent object is not editable by the requester. A remote user can send a crafted request referencing an arbitrary note ID to modify note pinning status without authorization.

The backend performs the write operation before completing the parent authorization check, so the change is persisted even though the API responds with 403 Forbidden.

Remediation

Install update from vendor's website.

References

https://github.com/espocrm/espocrm/security/advisories/GHSA-c3rm-m24p-255p