EspoCRM Critical Path Traversal: Admin Access Leads to Server Compromise
The National Vulnerability Database has disclosed CVE-2026-33656, a critical path traversal vulnerability in EspoCRM, an open-source customer relationship management application. Prior to version 9.3.4, a flaw in EspoCRM’s formula scripting engine allowed authenticated administrators to manipulate the sourceId field of Attachment entities. This field, when concatenated directly into file paths without sanitization, enables an attacker to redirect file read or write operations.
This vulnerability, rated 9.1 CVSS (Critical), essentially grants a high-privileged attacker the ability to move or overwrite files within the web server’s open_basedir scope. For defenders, this is a red flag: an attacker who gains administrative access to EspoCRM can leverage this to achieve arbitrary file manipulation, potentially leading to remote code execution or complete server compromise. The attacker’s calculus here is straightforward: elevate a high-privilege access into a full system takeover.
Organizations running EspoCRM must prioritize patching to version 9.3.4 immediately. Given the critical severity and the ease with which an authenticated admin can exploit this, the window for attackers is wide open. This isn’t just about data; it’s about the integrity and availability of your entire web server.
What This Means For You
- If your organization uses EspoCRM, you need to check your version immediately. Patch to 9.3.4 without delay. Audit your admin user logs for any suspicious activity, especially around attachment or formula engine usage, as an authenticated admin is the prerequisite for this critical path traversal.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-33656 - EspoCRM Path Traversal to Arbitrary File Write
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33656 | Path Traversal | EspoCRM versions prior to 9.3.4 |
| CVE-2026-33656 | Path Traversal | EspoCRM built-in formula scripting engine |
| CVE-2026-33656 | Path Traversal | Vulnerable field: Attachment entity's `sourceId` |
| CVE-2026-33656 | Path Traversal | Vulnerable function: `EspoUploadDir::getFilePath()` |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 00:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
WeKan SSRF Vulnerability: Internal Network Exposure Risk
CVE-2026-41455 — WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol...
Wekan API Flaw Grants Board Members Admin Powers
CVE-2026-41454 — WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without...
CVE-2026-41177 — Server-Side Request Forgery
CVE-2026-41177 — Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable...