PatchSiren cyber security CVE debrief
CVE-2020-37094 EspoCRM CVE debrief
CVE-2020-37094 details an authentication token reuse vulnerability in EspoCRM 5.7.0 prior to 5.9.0. This vulnerability allows authenticated attackers to bypass two-factor authentication by exploiting token-to-password-hash mapping. Attackers can obtain an authentication token for a controlled account and replay it against any victim account sharing the same password, bypassing the victim's 2FA protections. The vulnerability exists due to the binding of authentication tokens to password hashes rather than unique per-user values.
- Vendor
- EspoCRM
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-03
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-02-03
- Advisory updated
- 2026-07-10
Who should care
System administrators and security professionals responsible for EspoCRM installations, particularly those using versions 5.7.0 to 5.8.5, should be aware of this vulnerability. This vulnerability could allow attackers to bypass two-factor authentication, potentially leading to unauthorized access to sensitive information. Affected operator, platform, vulnerability-management, and security-team impact should be reviewed.
Technical summary
The vulnerability exists in the EspoCRM application, specifically in the file application/Espo/Core/Utils/Authentication/Espo.php. The issue arises from the fact that authentication tokens are bound to password hashes rather than unique per-user values. This allows an attacker with a valid authentication token for one account to use it for another account that has the same password, effectively bypassing two-factor authentication for the second account. The vulnerability affects EspoCRM versions 5.7.0 prior to 5.9.0.
Defensive priority
High
Recommended defensive actions
- Update EspoCRM to version 5.9.0 or later
- Implement additional monitoring for authentication attempts
- Consider using more secure authentication methods
- Review and update password policies for EspoCRM users
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-02-03T22:16:25.673Z and was last modified on 2026-07-10T15:16:35.133Z. The NVD entry is currently Modified. This information is based on the supplied source corpus and may not reflect the current state of the vulnerability. Defenders should verify the affected scope and severity with the official CVE record and NVD entry. The vulnerability affects EspoCRM versions 5.7.0 prior to 5.9.0.
Official resources
-
CVE-2020-37094 CVE record
CVE.org
-
CVE-2020-37094 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
[email protected] - Product
-
Source reference
[email protected] - Exploit, VDB Entry
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-03T22:16:25.673Z and has not been modified since then. The NVD entry is currently Modified.