VYPR
Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-41160

CVE-2026-41160

Description

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Espocrm/Espocrminferred2 versions
    <9.3.5+ 1 more
    • (no CPE)range: <9.3.5
    • (no CPE)range: <9.3.5

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.