Description
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5.
Published: 2026-05-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the EmailTemplate prepare endpoint, which accepts an email address and resolves the owning entity (Contact, Lead, Account, or User) without enforcing ACL checks. A user with only EmailTemplate read permission can provide any valid email address and retrieve all field values of the corresponding entity, bypassing read‑own and read‑team restrictions. This leads to data exposure of sensitive customer and internal information.

Affected Systems

EspoCRM versions prior to 9.3.5 are affected; the issue is fixed in 9.3.5 and later. The product is the open‑source EspoCRM engine.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is considered moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to the /api/v1/EmailTemplate/:id/prepare endpoint; it requires an authenticated session but does not need elevated privileges. Once authenticated, an attacker can harvest arbitrary entity data by supplying any known email address.

Generated by OpenCVE AI on May 28, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EspoCRM to 9.3.5 or later
  • Restrict EmailTemplate read permissions to roles that require them; use least privilege
  • Validate that the EmailTemplate prepare endpoint no longer resolves entity data via email address after the upgrade, and audit logs for unexpected accesses.

Generated by OpenCVE AI on May 28, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Espocrm
Espocrm espocrm
Vendors & Products Espocrm
Espocrm espocrm

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5.
Title EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Espocrm Espocrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T18:54:06.117Z

Reserved: 2026-04-17T12:59:15.738Z

Link: CVE-2026-41141

cve-icon Vulnrichment

Updated: 2026-05-28T18:53:44.935Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T17:16:21.810

Modified: 2026-05-28T20:16:23.383

Link: CVE-2026-41141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:00:16Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key