PatchSiren cyber security CVE debrief
CVE-2026-41160 espocrm CVE debrief
A broken access control vulnerability in EspoCRM 9.3.3 allows low-privileged users to persistently modify note pinning status without proper authorization. The flaw exists in the POST /api/v1/Note/{id}/pin endpoint where the server processes the write operation before validating permissions, resulting in a 'write first, authorize later' execution pattern. While the API returns a 403 Forbidden response, the database modification has already occurred. This affects confidentiality and integrity boundaries within the application. The vulnerability was disclosed on May 28, 2026 and is resolved in version 9.3.5.
- Vendor
- espocrm
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
EspoCRM administrators and security teams managing customer relationship management deployments should prioritize this patch to prevent unauthorized data manipulation. Organizations with compliance requirements around access control auditing should review logs for potential exploitation. Development teams building on EspoCRM should examine custom API implementations for similar authorization sequencing errors.
Technical summary
The vulnerability stems from improper ordering of operations in PostNotePin.php::process(), where getNote($id) executes before checkParent($note). This sequence allows the database write to complete before authorization validation occurs. The POST /api/v1/Note/{id}/pin endpoint modifies the pinned status field persistently despite returning HTTP 403 to unauthorized callers. Attackers with low-privilege accounts can manipulate note visibility and organization within the CRM interface without possessing edit permissions on the parent object. The fix in 9.3.5 restructures the authorization check to precede any persistent state modification.
Defensive priority
medium
Recommended defensive actions
- Upgrade EspoCRM to version 9.3.5 or later to remediate the authorization bypass vulnerability
- Review application logs for unauthorized note pinning operations by low-privileged accounts between deployment of affected versions and patch application
- Implement additional access control validation at the database transaction layer to prevent 'write first, authorize later' patterns
- Audit similar API endpoints in custom EspoCRM modules for equivalent authorization sequencing flaws
- Monitor for anomalous note pinning activity as an indicator of potential exploitation attempts
Evidence notes
The vulnerability description identifies the specific file (application/Espo/Tools/Stream/Api/PostNotePin.php) and method (process()) where the authorization check sequence flaw occurs. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) confirms network attack vector with low privileges required. CWE classifications include CWE-284 (Improper Access Control), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization).
Official resources
-
CVE-2026-41160 CVE record
CVE.org
-
CVE-2026-41160 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28