{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33659", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.219Z", "datePublished": "2026-04-13T20:32:07.072Z", "dateUpdated": "2026-04-14T13:52:31.103Z"}, "containers": {"cna": {"title": "EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7"}, {"name": "https://github.com/espocrm/espocrm/commit/dca03cc3458e487362c26c746378a2d4de9990b1", "tags": ["x_refsource_MISC"], "url": "https://github.com/espocrm/espocrm/commit/dca03cc3458e487362c26c746378a2d4de9990b1"}, {"name": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4"}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"version": "< 9.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:32:07.072Z"}, "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4."}], "source": {"advisory": "GHSA-6m4j-fwrx-crh7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:52:16.446120Z", "id": "CVE-2026-33659", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:52:31.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33659", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T13:52:16.446120Z"}}}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:52:11.538Z"}}], "cna": {"title": "EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access", "source": {"advisory": "GHSA-6m4j-fwrx-crh7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"status": "affected", "version": "< 9.3.4"}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7", "name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/espocrm/espocrm/commit/dca03cc3458e487362c26c746378a2d4de9990b1", "name": "https://github.com/espocrm/espocrm/commit/dca03cc3458e487362c26c746378a2d4de9990b1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "name": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:32:07.072Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33659", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:52:31.103Z", "dateReserved": "2026-03-23T15:23:42.219Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T20:32:07.072Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4."}], "id": "CVE-2026-33659", "lastModified": "2026-04-14T15:16:28.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:24.760", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/espocrm/espocrm/commit/dca03cc3458e487362c26c746378a2d4de9990b1"}, {"source": "security-advisories@github.com", "url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "espocrm", "source": "cna", "vendor": "espocrm"}, "product": "espocrm", "vendor": "espocrm"}], "analysis": {"en": {"generated_at": "2026-04-13T21:33:22.729225+00:00", "value": {"mitigation_remediation": ["Upgrade EspoCRM to version 9.3.4 or later.", "Revoke default attachment\u2011creation permissions from users as an interim control."], "summary": {"action": "Apply Patch", "impact": "Internal network access via SSRF"}, "threat_synthesis": {"affected_systems": "Affecteds: EspoCRM (espocrm) product, specifically versions 9.3.3 and all prior releases. No other vendors or product versions are listed as impacted.", "description_and_impact": "EspoCRM versions 9.3.3 and earlier contain a server\u2011side request forgery flaw in the POST /api/v1/Attachment/fromImageUrl endpoint. The flaw arises from a DNS rebinding (time\u2011of\u2011check to time\u2011of\u2011use) condition combined with a mismatch between host validation using dns_get_record() and the actual curl resolver, allowing an authenticated user with attachment\u2011creation rights to fool the application into resolving a supplied hostname to an internal IP. This permits the attacker to reach internal network hosts, scan ports, and interact with internal HTTP services, though it cannot retrieve binary data or execute code on those hosts. The weakness is reflected by CWE\u2011367 and CWE\u2011918.", "risk_and_exploitability": "The CVSS base score of 3.5 indicates low complexity but the exploitable nature is clear: an attacker needs only authenticated access with default attachment\u2011creation permissions and can use any HTTP client to send a request to the vulnerable endpoint. The EPSS score is not available and the issue is not marked in CISA's KEV, suggesting that widespread exploitation has not yet been observed. Nevertheless, the ability to discover internal network topology remains a significant threat to confidentiality and availability within the affected environment. The vulnerability is resolved in EspoCRM 9.3.4, which eliminates the double\u2011lookup path by aligning host resolution with validation."}}}}, "created": "2026-04-14T16:18:13.095481+00:00", "updated": "2026-04-14T16:33:20.115672+00:00", "vendors": ["espocrm", "espocrm$PRODUCT$espocrm"]}