SB2026061832 - Multiple vulnerabilities in EspoCRM

Description

This security bulletin contains information about 4 vulnerabilities.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2026-47168)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in the processing of stored data associated with background operations when deserializing serialized PHP objects from MassAction/Export parameters. A remote privileged user can supply specially crafted serialized data to execute arbitrary code.

The issue is exploitable by an administrator, and the crafted data is later processed by the application.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-46708)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify the opt-out state of a protected contact or lead without authorization.

The vulnerability exists due to authorization bypass through a user-controlled key in target-list opt-out actions when handling opt-out requests for contacts or leads referenced through a shared target list. A remote user can send a crafted opt-out action request to modify the opt-out state of a protected contact or lead without authorization.

The issue affects cases where the user can access a shared target list but does not have read or edit access to the target contact or lead.

3) Improper access control (CVE-ID: CVE-2026-46694)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the portal Note API endpoint when fetching a single note directly. A remote user can request a note with a known ID to disclose sensitive information.

Exploitation requires knowledge of the note ID and stream access to the parent record.

4) Missing Authorization (CVE-ID: CVE-2026-46691)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Import exportErrors endpoint when handling requests for import records by ID. A remote user can send a crafted request with an arbitrary import ID to disclose sensitive information.

Exploitation requires knowledge of a valid import record ID.

Remediation

Install update from vendor's website.

References

• https://github.com/espocrm/espocrm/security/advisories/GHSA-7q78-jjr9-mqcg
• https://github.com/espocrm/espocrm/security/advisories/GHSA-mqp6-23xq-7q3r
• https://github.com/espocrm/espocrm/security/advisories/GHSA-cg9f-34hj-p238
• https://github.com/espocrm/espocrm/security/advisories/GHSA-rrcj-rhc2-ch5q