CVE-2026-41160

MEDIUM 4.3

EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5.

CWE	CWE-284 CWE-639 CWE-862
Vendor	espocrm
Product	espocrm
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for espocrm espocrm

Be the first to know when new medium vulnerabilities affecting espocrm espocrm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

espocrm / espocrm

< 9.3.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/espocrm/espocrm/security/advisories/GHSA-c3rm-m24p-255p