PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41141 espocrm CVE debrief

EspoCRM versions prior to 9.3.5 contain an authorization bypass vulnerability in the email template preparation endpoint. The POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter to resolve the owning entity (Contact, Lead, Account, or User) without performing an access control list (ACL) check. An authenticated attacker with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This allows unauthorized data exfiltration across entity boundaries. The vulnerability was disclosed on 2026-05-28 and is fixed in version 9.3.5.

Vendor
espocrm
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

EspoCRM administrators, security teams managing CRM platforms, and organizations using EspoCRM for customer data management with multi-team or restricted access configurations.

Technical summary

The vulnerable endpoint performs entity lookup by email address without verifying the requesting user's ACL permissions against the resolved entity. The endpoint returns all field values of the matched entity, enabling data exfiltration across organizational boundaries. The fix in 9.3.5 adds proper ACL validation before returning entity data.

Defensive priority

medium

Recommended defensive actions

  • Upgrade EspoCRM to version 9.3.5 or later to remediate this vulnerability.
  • Review access logs for suspicious POST requests to /api/v1/EmailTemplate/*/prepare endpoints with emailAddress parameters targeting entities outside the requester's scope.
  • Audit EmailTemplate read permissions and restrict to minimum necessary users.
  • Implement additional monitoring for bulk entity field extraction patterns.
  • Verify that ACL enforcement is active on all entity resolution paths in custom integrations.

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-vvmh-mf4h-96hw. CVSS 3.1 score 6.5 (MEDIUM) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. CWE-639: Authorization Bypass Through User-Controlled Key.

Official resources

2026-05-28