Server-Side Request Forgery (SSRF) in EspoCRM - CVE-2026-33659

 

Server-Side Request Forgery (SSRF) in EspoCRM - CVE-2026-33659

Published: April 14, 2026


Vulnerability identifier: #VU125917
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33659
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: EspoCRM
Affected software:
EspoCRM

Detailed vulnerability description

The vulnerability allows a remote user to access internal network services and disclose limited information.

The vulnerability exists due to server-side request forgery in the POST /api/v1/Attachment/fromImageUrl endpoint when fetching a user-supplied image URL. A remote user can supply a hostname that passes validation but resolves differently at connection time to access internal network services and disclose limited information.

User interaction is not required, and exploitation requires attachment creation access.


How to mitigate CVE-2026-33659

Install security update from vendor's website.

Sources