Overview
CVE-2026-33656 is a critical-severity (CVSS 9.1) improper access control vulnerability in EspoCRM, a widely deployed open-source customer relationship management application. Published on April 22, 2026, the flaw affects all EspoCRM versions prior to 9.3.4.
The vulnerability resides in EspoCRM's built-in formula scripting engine — a feature that enables administrators to automate field updates and business logic using a custom scripting language. Through this engine, an authenticated administrator can update the sourceId field on Attachment entities, a field that should be immutable after an attachment is created. Overwriting sourceId allows an attacker to point attachments at arbitrary file system paths or internal resources, enabling unauthorized data access or manipulation.
Technical Details
Vulnerability Root Cause
EspoCRM's formula scripting engine exposes functions that allow updating entity fields programmatically. The engine fails to enforce write restrictions on the sourceId field of Attachment records. This field acts as a reference to the underlying file storage location.
An authenticated admin who can execute formula scripts — a common configuration — can craft a formula expression that sets sourceId to an attacker-controlled value, redirecting attachment references to arbitrary locations.
Attack Scenario
- Attacker authenticates as an EspoCRM administrator (or compromises an admin account).
- Attacker creates or modifies a formula script targeting the
Attachmententity type. - The formula sets
sourceIdto a controlled path or foreign identifier. - Subsequent reads or exports of the attachment resolve against the manipulated
sourceId, returning data the attacker designates.
Why sourceId Matters
In EspoCRM, sourceId links an Attachment record to its underlying file on disk or in object storage. Overwriting it can:
- Redirect file downloads to sensitive server-side files
- Corrupt attachment references across linked records (Emails, Documents, Notes)
- Enable exfiltration of files the admin account would not normally be able to download through the UI
Affected Versions
| Software | Affected Versions |
|---|---|
| EspoCRM | All versions prior to 9.3.4 |
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 9.1 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | High (Admin) |
| User Interaction | None |
| Scope | Changed |
| Impact | High Confidentiality, High Integrity |
Patch & Mitigation
Patch: Upgrade to EspoCRM version 9.3.4 or later. The fix introduces validation that blocks formula script modifications to the sourceId field on Attachment entities.
Immediate mitigations for unpatched instances:
- Restrict formula scripting access — ensure only fully trusted administrators have access to EspoCRM formula configuration.
- Audit existing formula scripts for any expressions targeting
Attachment.sourceIdand remove or disable them. - Review admin account hygiene — rotate credentials for all EspoCRM administrator accounts, particularly any shared or service accounts.
- Monitor attachment access logs for unusual download patterns or access to unexpected file paths.
- Apply the patch immediately — the low attack complexity and network exposure make this a high-priority remediation.
Recommendations
Organizations running EspoCRM versions prior to 9.3.4 should apply the patch immediately. While the vulnerability requires administrator-level credentials, admin account compromise is a realistic threat vector via phishing, credential stuffing, or lateral movement. The Changed scope rating reflects that successful exploitation can impact resources beyond the attacker's authentication boundary.
Audit your EspoCRM formula scripting configuration and ensure principle of least privilege is applied to all administrative accounts.