Platform
php
Component
espocrm
Fixed in
9.3.5
CVE-2026-33659 describes a Server-Side Request Forgery (SSRF) vulnerability affecting EspoCRM versions 9.3.3 and earlier. This flaw allows attackers to potentially initiate requests to internal or external resources on behalf of the EspoCRM server, bypassing access controls. The vulnerability stems from a timing issue (TOCTOU) in hostname validation. EspoCRM version 9.3.4 addresses this issue.
The SSRF vulnerability in EspoCRM allows an attacker to craft a malicious request through the /api/v1/Attachment/fromImageUrl endpoint. Due to a TOCTOU (Time-of-Check-Time-of-Use) condition, the hostname validation process, which relies on dnsgetrecord(), can return a different IP address than the one used by curl's internal resolver (gethostbyname()). This discrepancy enables an attacker to bypass hostname restrictions and potentially access internal services or external resources that should be inaccessible. Successful exploitation could lead to information disclosure, unauthorized access to internal systems, or even remote code execution if the SSRF can be chained with other vulnerabilities. The DNS rebinding technique amplifies the risk, allowing attackers to dynamically change the target IP address during the request lifecycle.
CVE-2026-33659 has a LOW CVSS score of 3.5. No public Proof-of-Concept (POC) exploits have been publicly disclosed as of the publication date. The vulnerability is not currently listed on KEV or EPSS, indicating a low probability of active exploitation. The vulnerability was published on 2026-04-13, and it is recommended to monitor security advisories and threat intelligence feeds for any updates.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33659 is to upgrade EspoCRM to version 9.3.4 or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict outbound network access from the EspoCRM server using a Web Application Firewall (WAF) or proxy to limit the potential impact of SSRF requests. Specifically, block requests to unusual or unexpected hostnames. Review and strengthen hostname validation logic within the application if possible, although this is a complex undertaking. After upgrading, confirm the vulnerability is resolved by attempting to trigger the /api/v1/Attachment/fromImageUrl endpoint with a known malicious hostname and verifying that the request is blocked or fails as expected.
Actualice EspoCRM a la versión 9.3.4 o posterior para mitigar la vulnerabilidad de SSRF. Esta actualización corrige la validación de host y evita que se utilicen diferentes direcciones IP para el mismo nombre de host, previniendo así el acceso no autorizado a la red interna.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33659 is a Server-Side Request Forgery (SSRF) vulnerability in EspoCRM versions 9.3.3 and below, allowing attackers to potentially initiate requests on behalf of the server.
You are affected if you are running EspoCRM version 9.3.3 or earlier. Upgrade to version 9.3.4 to resolve the vulnerability.
Upgrade EspoCRM to version 9.3.4 or later. As a temporary workaround, restrict outbound network access using a WAF or proxy.
As of the publication date, there are no publicly known active campaigns exploiting CVE-2026-33659, but vigilance is still advised.
Refer to the EspoCRM security advisories page for the latest information: [https://www.esposoft.com/security/](https://www.esposoft.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.