CVE-2026-41141— EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup
Possible ATT&CK Techniques 2AI
T1210 · Exploitation of Remote Services T1005 · Data from Local SystemGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41141
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup
Source: NVD (National Vulnerability Database)
Vulnerability Description
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41141
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41141
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41141 (1)
IV. Related Vulnerabilities
Same product: espocrm
- CVE-2026-41160
EspoCRM: Broken Access Control / IDOR in Note Pinning API al - CVE-2026-33741
EspoCRM: Stored XSS via SVG attachment loading same-origin J - CVE-2026-33733
EspoCRM has Admin TemplateManager path traversal that allows - CVE-2026-33656
EspoCRM vulnerable to authenticated RCE via Formula with pat - CVE-2026-33740
EspoCRM: Email importEml can import and delete another user'
Same vendor: espocrm
- CVE-2026-41160
EspoCRM: Broken Access Control / IDOR in Note Pinning API al - CVE-2026-33741
EspoCRM: Stored XSS via SVG attachment loading same-origin J - CVE-2026-33733
EspoCRM has Admin TemplateManager path traversal that allows - CVE-2026-33656
EspoCRM vulnerable to authenticated RCE via Formula with pat - CVE-2026-33740
EspoCRM: Email importEml can import and delete another user'
Same weakness: CWE-639
- CVE-2026-47266
Formie: Unauthenticated front-end submission editing can ove - CVE-2026-49386
JetBrains YouTrack低于2026.1.13570存在不当访问控制漏洞 - CVE-2026-43917
Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints m - CVE-2026-9493
BankPro E-Service Technology|Service Center - Insecure Direc - CVE-2026-45342
LinkAce: IDOR in Update Policies Allows Any Authenticated Us
V. Comments for CVE-2026-41141
No comments yet