Main Vulnerability Database Vulnerabilities #VU125915

Improper access control in EspoCRM - CVE-2025-32789

Published: April 16, 2025 / Updated: April 14, 2026

Vulnerability identifier: #VU125915

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-32789

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: EspoCRM

Affected software:
EspoCRM

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the user sorting function when handling user list sorting requests. A remote user can sort users by the password column to disclose sensitive information.

The issue affects values stored in the user table, and exploitation relies on inferring other users' password hash ordering through repeated sorting.

How to mitigate CVE-2025-32789

Install security update from vendor's website.

Sources

https://github.com/espocrm/espocrm/security/advisories/GHSA-3ph3-jcfx-fq53

Improper access control in EspoCRM - CVE-2025-32789

Detailed vulnerability description

How to mitigate CVE-2025-32789

Sources

Please verify you're human