Description
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.
Published: 2026-04-13
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Internal network access via SSRF
Action: Apply Patch
AI Analysis

Impact

EspoCRM versions 9.3.3 and earlier contain a server‑side request forgery flaw in the POST /api/v1/Attachment/fromImageUrl endpoint. The flaw arises from a DNS rebinding (time‑of‑check to time‑of‑use) condition combined with a mismatch between host validation using dns_get_record() and the actual curl resolver, allowing an authenticated user with attachment‑creation rights to fool the application into resolving a supplied hostname to an internal IP. This permits the attacker to reach internal network hosts, scan ports, and interact with internal HTTP services, though it cannot retrieve binary data or execute code on those hosts. The weakness is reflected by CWE‑367 and CWE‑918.

Affected Systems

Affecteds: EspoCRM (espocrm) product, specifically versions 9.3.3 and all prior releases. No other vendors or product versions are listed as impacted.

Risk and Exploitability

The CVSS base score of 3.5 indicates low complexity but the exploitable nature is clear: an attacker needs only authenticated access with default attachment‑creation permissions and can use any HTTP client to send a request to the vulnerable endpoint. The EPSS score is not available and the issue is not marked in CISA's KEV, suggesting that widespread exploitation has not yet been observed. Nevertheless, the ability to discover internal network topology remains a significant threat to confidentiality and availability within the affected environment. The vulnerability is resolved in EspoCRM 9.3.4, which eliminates the double‑lookup path by aligning host resolution with validation.

Generated by OpenCVE AI on April 13, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EspoCRM to version 9.3.4 or later.
  • Revoke default attachment‑creation permissions from users as an interim control.

Generated by OpenCVE AI on April 13, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Espocrm
Espocrm espocrm
Vendors & Products Espocrm
Espocrm espocrm

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.
Title EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access
Weaknesses CWE-367
CWE-918
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Espocrm Espocrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:52:31.103Z

Reserved: 2026-03-23T15:23:42.219Z

Link: CVE-2026-33659

cve-icon Vulnrichment

Updated: 2026-04-14T13:52:11.538Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T21:16:24.760

Modified: 2026-04-22T00:07:49.143

Link: CVE-2026-33659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:20Z

Weaknesses