EsproCRM developers have closed a critical vulnerability in the file processing mechanism.
In the popular system for managing EspoCRM, a vulnerability has been found to make administrative access to full control of the server. Six queries are enough to go from the control panel to the commands in the system. The problem with the identifier CVE-2026-33656 affects the version of EspoCRM 9.3.3. The vulnerability was found when analyzing a standard image with the Apache web server, where the application works on the user name www-data.
EspoCRM itself is an open system for working with customers, which is often chosen by small and medium-sized companies. Inside there is process automation, transaction processing, mail and even their own scripting mechanism. It was this mechanism that became the starting point of attack.
In EspoCRM, the so-called “formula engine” is built – the language of scenarios by which the administrator can change the data, start processes and test logic through a separate interface. Access to it is limited by the administrator’s account, and initially this approach looks safe. But it turned out that the engine bypasses internal restrictions at the level of individual fields.
In the usual interface and through the API, part of the fields is protected. For example, some values are marked as “read-only” and do not change even when you try to send a request. But the mechanism engine goes in a different way and writes the data directly, without verifying such restrictions. As a result, the administrator can change the fields that cannot be touched by the logic of the system.
The key was the sourceId field at the investment. It is responsible for the path to the file on the disk. Normally, the system itself sets the value and does not allow it to change. But through the engine of formulas, the restriction is complete. After that, the attacker can substitute any path – for example, specify a file outside the download folder.
Then the most interesting begins. The system forms the path to the file simple glue string without verification. No cleaning, no restrictions. In the end, two opportunities open at once.
Reading arbitrary files first. It is enough to change the way to get, for example, an application configuration or a file with a database account.
Then – recording files in an arbitrary place. EspoCRM supports downloading files by piece of parts. If you change the way before booting, the system will save the data where the attacker indicated. So you can write your own file, including in a directory available from the browser.
There's a last detail left. On standard installation, the server does not always execute files such as program code. But the problem is bypassed with the .htaccess settings file. By adding the right rule, the attacker forces the server to execute a downloaded file as a script. After that, it is enough to open a special address - and the server begins to execute commands. In the demonstration of the attack, the system responded to the rights of the user www-data, under which the web server works.
The vulnerability affects not only the writing and reading files. The same mechanism allows you to read hidden fields in the database. Among them are the hashes of user passwords and active session tokens. Such access opens the way to the further development of the attack within the system.
The correction went quickly. In the EspoCRM 9.3.4 version, the developer added a file name cleaning using the basename function, which cuts off any attempts to go beyond the permissible directory. The changes were used at once in several places where the paths to files are formed. After that, the attack chain stops working.
At the same time, the engine of the formulas did not change. The author of the project believes that the lack of checks at the level of the fields is a conscious decision, not an error. Nevertheless, it was the combination of this behavior with file processing that led to a critical vulnerability. The developer released an update within a day after a report on the problem. Now users are advised to switch to version 9.3.4 and above as soon as possible.
In the popular system for managing EspoCRM, a vulnerability has been found to make administrative access to full control of the server. Six queries are enough to go from the control panel to the commands in the system. The problem with the identifier CVE-2026-33656 affects the version of EspoCRM 9.3.3. The vulnerability was found when analyzing a standard image with the Apache web server, where the application works on the user name www-data.
EspoCRM itself is an open system for working with customers, which is often chosen by small and medium-sized companies. Inside there is process automation, transaction processing, mail and even their own scripting mechanism. It was this mechanism that became the starting point of attack.
In EspoCRM, the so-called “formula engine” is built – the language of scenarios by which the administrator can change the data, start processes and test logic through a separate interface. Access to it is limited by the administrator’s account, and initially this approach looks safe. But it turned out that the engine bypasses internal restrictions at the level of individual fields.
In the usual interface and through the API, part of the fields is protected. For example, some values are marked as “read-only” and do not change even when you try to send a request. But the mechanism engine goes in a different way and writes the data directly, without verifying such restrictions. As a result, the administrator can change the fields that cannot be touched by the logic of the system.
The key was the sourceId field at the investment. It is responsible for the path to the file on the disk. Normally, the system itself sets the value and does not allow it to change. But through the engine of formulas, the restriction is complete. After that, the attacker can substitute any path – for example, specify a file outside the download folder.
Then the most interesting begins. The system forms the path to the file simple glue string without verification. No cleaning, no restrictions. In the end, two opportunities open at once.
Reading arbitrary files first. It is enough to change the way to get, for example, an application configuration or a file with a database account.
Then – recording files in an arbitrary place. EspoCRM supports downloading files by piece of parts. If you change the way before booting, the system will save the data where the attacker indicated. So you can write your own file, including in a directory available from the browser.
There's a last detail left. On standard installation, the server does not always execute files such as program code. But the problem is bypassed with the .htaccess settings file. By adding the right rule, the attacker forces the server to execute a downloaded file as a script. After that, it is enough to open a special address - and the server begins to execute commands. In the demonstration of the attack, the system responded to the rights of the user www-data, under which the web server works.
The vulnerability affects not only the writing and reading files. The same mechanism allows you to read hidden fields in the database. Among them are the hashes of user passwords and active session tokens. Such access opens the way to the further development of the attack within the system.
The correction went quickly. In the EspoCRM 9.3.4 version, the developer added a file name cleaning using the basename function, which cuts off any attempts to go beyond the permissible directory. The changes were used at once in several places where the paths to files are formed. After that, the attack chain stops working.
At the same time, the engine of the formulas did not change. The author of the project believes that the lack of checks at the level of the fields is a conscious decision, not an error. Nevertheless, it was the combination of this behavior with file processing that led to a critical vulnerability. The developer released an update within a day after a report on the problem. Now users are advised to switch to version 9.3.4 and above as soon as possible.
