Server-Side Request Forgery (SSRF) in EspoCRM - CVE-2026-33534

 

Server-Side Request Forgery (SSRF) in EspoCRM - CVE-2026-33534

Published: April 14, 2026


Vulnerability identifier: #VU125919
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33534
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: EspoCRM
Affected software:
EspoCRM

Detailed vulnerability description

The vulnerability allows a remote user to make requests to internal resources and disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the /api/v1/Attachment/fromImageUrl endpoint when processing a user-supplied image URL containing an alternative IPv4 representation. A remote user can send a specially crafted request using octal IPv4 notation to make requests to internal resources and disclose sensitive information.

In the confirmed flow, the fetched response is stored as an attachment.


How to mitigate CVE-2026-33534

Install security update from vendor's website.

Sources