External risk intelligence

EspoCRM allows attackers to overwrite any file on your server.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-33656

EspoCRM lets administrators overwrite server files by manipulating file paths, potentially impacting sensitive data or systems. Update to version 9.3.4 immediately.

4Halo Surface Signal

Path Traversal

Espocrm

before 9.3.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-33656

EspoCRM is a web-based customer relationship management platform. Such applications are frequently deployed as internet-facing web services to support remote business operations, which places the login and management interfaces within the reach of internet-based traffic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in EspoCRM allows an authenticated administrator to potentially overwrite arbitrary files on the server. By manipulating file paths, an attacker could redirect file operations, leading to significant data compromise or system disruption. This requires immediate attention for any organization using this CRM software.

  • Can impact sensitive files.
  • Affects authenticated administrators.
  • Allows arbitrary file read/write.

Attack Path

How an attacker could exploit the issue

An authenticated admin user could exploit this vulnerability to overwrite arbitrary files on the web server. By manipulating the `sourceId` field, they can redirect file operations to any path accessible by the web server's `open_basedir` settings. This allows for potential data corruption, denial of service, or even code execution if sensitive server files are targeted.

  • Requires admin credentials.
  • Targets file upload functionality.
  • Relies on unsanitized path input.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely target this vulnerability because it allows authenticated administrators to overwrite files on the web server. The critical nature of the flaw, combined with the fact that EspoCRM is often internet-facing, makes it an attractive target for potential exploitation. Given the functionality, attackers could aim to achieve remote code execution or compromise sensitive data.

  • Requires admin authentication.
  • Allows arbitrary file overwrite.
  • Affects EspoCRM versions prior to 9.3.4.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating EspoCRM to version 9.3.4 or later to remediate the critical arbitrary file write vulnerability. If immediate patching is not feasible, implement strict input validation on file path components and restrict file system access for the web server process.

  • Apply EspoCRM version 9.3.4.
  • Restrict web server file system access.
  • Monitor for anomalous file operations.

Frequently asked questions

What is EspoCRM and what business functions does it support?

EspoCRM is an open-source customer relationship management (CRM) application designed to help businesses manage customer interactions, sales processes, and marketing activities. It supports lead and opportunity management, sales automation, email integration, reporting, and customizable dashboards to enhance customer engagement and streamline operations.

How does CVE-2026-33656 enable arbitrary file overwrites in EspoCRM?

CVE-2026-33656 is a path traversal vulnerability. An authenticated administrator can exploit EspoCRM's formula scripting engine to manipulate a file path, causing the application to overwrite arbitrary files on the web server instead of the intended attachment. This occurs because the `sourceId` field is concatenated directly into a file path without proper sanitization in `EspoUploadDir::getFilePath()`.

What weakness class does CVE-2026-33656 represent and what is its trigger path?

This vulnerability is classified as CWE-22, a path traversal weakness. The trigger path involves an authenticated administrator using EspoCRM's formula scripting engine to modify the `sourceId` field of an attachment entity. This manipulation allows directory traversal sequences to be injected, redirecting file operations to unintended locations on the web server.

What is the relevance of CVE-2026-33656, considering its scope and impact?

The relevance of CVE-2026-33656 is critical due to its potential to allow an authenticated administrator to read or write arbitrary files on the web server, leading to data compromise, denial of service, or even remote code execution. The vulnerability affects EspoCRM versions prior to 9.3.4. Halo classifies this CVE as external due to its network attack vector.

What are the recommended steps to address CVE-2026-33656?

The primary remediation step is to update EspoCRM to version 9.3.4 or later immediately. Additionally, organizations should audit administrative account access, review logs for suspicious activity, ensure web server processes run with minimal privileges, and strictly adhere to `open_basedir` restrictions to mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified