Description
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

EspoCRM 9.3.3 and earlier contain a broken access control flaw that lets low‑privileged users pin any note. The API endpoint /api/v1/Note/{id}/pin writes the new pinned state to the database before performing the authorization check, so a 403 response is returned while the change persists. The attacker can therefore alter the pinned status of any note without possessing edit rights to the parent object, violating data integrity.

Affected Systems

Affected systems include EspoCRM for open source customer relationship management. The vulnerability is present in releases 9.3.3 and earlier and was fixed in version 9.3.5. Users running an impacted version are susceptible to this flaw.

Risk and Exploitability

The risk level is low, with a CVSS score of 4.3 and no recorded exploitation probability (EPSS not available). The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated API access and knowledge of a note identifier, making the attack vector a network‑based API call by a low‑privileged user.

Generated by OpenCVE AI on May 28, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EspoCRM to version 9.3.5 or later to apply the vendor fix
  • If an upgrade is not immediately possible, restrict access to the /api/v1/Note/{id}/pin endpoint by requiring users to have edit permissions for the parent record
  • Consider disabling or temporarily blocking the note‑pinning API if it is not essential for your workflow

Generated by OpenCVE AI on May 28, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Espocrm
Espocrm espocrm
Vendors & Products Espocrm
Espocrm espocrm

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5.
Title EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes
Weaknesses CWE-284
CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Espocrm Espocrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:04:24.739Z

Reserved: 2026-04-17T16:34:45.524Z

Link: CVE-2026-41160

cve-icon Vulnrichment

Updated: 2026-05-28T19:03:20.303Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T17:16:22.053

Modified: 2026-05-28T20:16:23.507

Link: CVE-2026-41160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-862

    Missing Authorization