CVE-2026-33740 Overview
EspoCRM is an open source customer relationship management (CRM) application that is widely used for managing customer data, sales pipelines, and business communications. CVE-2026-33740 is an Insecure Direct Object Reference (IDOR) vulnerability affecting versions 9.3.3 and below. The vulnerability exists in the POST /api/v1/Email/importEml endpoint where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it.
Any authenticated user with Email:create and Import permissions can exploit this vulnerability to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox. As a side effect of the import flow, the original victim's attachment record is deleted. This behavior is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data.
Critical Impact
Authenticated attackers can access and read other users' email attachments, leading to unauthorized data disclosure and potential deletion of victim attachments.
Affected Products
- EspoCRM versions 9.3.3 and below
- EspoCRM installations with Email:create and Import permissions enabled for users
Discovery Timeline
- 2026-04-13 - CVE CVE-2026-33740 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-33740
Vulnerability Analysis
The vulnerability stems from a missing authorization check in the email import functionality. When a user sends a POST request to the /api/v1/Email/importEml endpoint with a fileId parameter, the application retrieves the corresponding attachment directly from the repository without validating whether the requesting user has permission to access that specific file.
This creates an authorization bypass where attachment IDs, which are commonly exposed in normal UI and API workflows such as stream payloads and download links, can be leveraged by malicious authenticated users to access files belonging to other users. The standard attachment download path correctly enforces Access Control List (ACL) checks before returning file data, making this inconsistency a clear security oversight.
Root Cause
The root cause is CWE-639: Authorization Bypass Through User-Controlled Key. The fileId parameter in the importEml endpoint directly references attachment objects without implementing proper ownership or permission validation. The import service trusts user-supplied attachment identifiers and performs operations on them without verifying the caller's authorization level.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access. An attacker with basic Email:create and Import permissions can enumerate or observe attachment IDs through normal application usage, then craft malicious API requests to the vulnerable endpoint to import other users' email attachments into their own mailbox.
// Security patch in application/Espo/Tools/Email/Api/PostImportEml.php
// Source: https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f
use Espo\Core\Api\ResponseComposer;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Exceptions\NotFound;
+use Espo\Entities\Attachment;
use Espo\Entities\Email;
use Espo\Entities\User;
+use Espo\ORM\EntityManager;
use Espo\Tools\Email\ImportEmlService;
The patch introduces proper entity management and authorization exceptions (NotFound, Forbidden) along with Attachment entity handling via the EntityManager to validate attachment access before processing import requests.
Detection Methods for CVE-2026-33740
Indicators of Compromise
- Unusual volume of POST requests to /api/v1/Email/importEml from a single user account
- API requests containing fileId parameters referencing attachments not owned by the requesting user
- Unexpected attachment deletions reported by users whose files were targeted
- Audit logs showing email imports with attachment IDs inconsistent with user's own uploads
Detection Strategies
- Implement API request logging and monitoring for the /api/v1/Email/importEml endpoint
- Cross-reference fileId values in import requests against attachment ownership records
- Deploy anomaly detection rules to identify users accessing abnormally high numbers of distinct attachment IDs
- Enable verbose logging for email import operations to capture authorization context
Monitoring Recommendations
- Configure alerts for failed authorization attempts following application patching
- Monitor for patterns of sequential or enumerated fileId access attempts
- Review access logs for authenticated users attempting to import attachments outside their organizational scope
- Implement real-time dashboards tracking email import API usage patterns
How to Mitigate CVE-2026-33740
Immediate Actions Required
- Upgrade EspoCRM to version 9.3.4 or later immediately
- Audit recent email import activity logs for signs of exploitation
- Review user permissions and restrict Email:create and Import capabilities to trusted users only
- Consider temporarily disabling the email import feature if patching cannot be performed immediately
Patch Information
EspoCRM has released version 9.3.4 which addresses this vulnerability. The fix implements proper authorization checks in the PostImportEml.php API handler to validate that the requesting user has permission to access the specified attachment before processing the import.
The security patch is available via:
Workarounds
- Restrict access to the email import functionality by modifying role permissions to remove Import capability from non-essential users
- Implement web application firewall (WAF) rules to rate-limit or block requests to /api/v1/Email/importEml
- Deploy network-level access controls to limit API access to trusted IP ranges
- Enable additional authentication requirements for sensitive email operations
# Example: Restrict Import permission via EspoCRM role configuration
# Navigate to Administration > Roles > [Role Name]
# Set Email Import permission to "no" for non-administrative roles
#
# Alternative: Use .htaccess to restrict endpoint access
<Location "/api/v1/Email/importEml">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
