{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-33534","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-20T18:05:11.831Z","datePublished":"2026-04-13T19:20:04.414Z","dateUpdated":"2026-04-14T16:28:58.299Z"},"containers":{"cna":{"title":"EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation","problemTypes":[{"descriptions":[{"cweId":"CWE-918","lang":"en","description":"CWE-918: Server-Side Request Forgery (SSRF)","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73","tags":["x_refsource_CONFIRM"],"url":"https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73"},{"name":"https://github.com/espocrm/espocrm/releases/tag/9.3.4","tags":["x_refsource_MISC"],"url":"https://github.com/espocrm/espocrm/releases/tag/9.3.4"}],"affected":[{"vendor":"espocrm","product":"espocrm","versions":[{"version":"< 9.3.4","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-04-13T19:20:04.414Z"},"descriptions":[{"lang":"en","value":"EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4."}],"source":{"advisory":"GHSA-h7gx-8gwv-7g73","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-14T15:28:00.570907Z","id":"CVE-2026-33534","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-14T16:28:58.299Z"}}]}}