Main Vulnerability Database Vulnerabilities #VU131610

Authorization bypass through user-controlled key in EspoCRM - CVE-2026-41160

Published: May 16, 2026

Vulnerability identifier: #VU131610

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-41160

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: EspoCRM

Affected software:
EspoCRM

Detailed vulnerability description

The vulnerability allows a remote user to modify note pinning status without authorization.

The vulnerability exists due to improper access control in the POST /api/v1/Note/{id}/pin endpoint when handling pin requests for notes whose parent object is not editable by the requester. A remote user can send a crafted request referencing an arbitrary note ID to modify note pinning status without authorization.

The backend performs the write operation before completing the parent authorization check, so the change is persisted even though the API responds with 403 Forbidden.

How to mitigate CVE-2026-41160

Install security update from vendor's website.

Sources

https://github.com/espocrm/espocrm/security/advisories/GHSA-c3rm-m24p-255p

Authorization bypass through user-controlled key in EspoCRM - CVE-2026-41160

Detailed vulnerability description

How to mitigate CVE-2026-41160

Sources

Please verify you're human