HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Authenticated SSRF in EspoCRM 9.3.3 (CVE-2026-33534) Enables Internal Network Access

A publicly disclosed SSRF flaw (CVE‑2026‑33534) in EspoCRM 9.3.3 lets authenticated users force the server to request internal resources using alternative IPv4 notations. The issue can expose internal APIs, metadata services, or customer data, posing a high third‑party risk for organizations that rely on EspoCRM.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Authenticated SSRF Vulnerability in EspoCRM 9.3.3 Exposes Internal Services

What Happened — A newly disclosed CVE‑2026‑33534 allows an authenticated attacker to craft specially‑formatted IPv4 notations (octal, hex, short forms) that bypass EspoCRM’s URL validation, forcing the server to issue HTTP requests to internal addresses (SSRF). The exploit is publicly available on Exploit‑DB and can be used to reach localhost, internal APIs, or cloud metadata services.

Why It Matters for TPRM

  • SSRF can be leveraged to pivot into the vendor’s internal network, exposing customer data or enabling ransomware.
  • SaaS CRM platforms often host sensitive business data; a breach could cascade to client organizations.
  • The vulnerability is authenticated, meaning compromised credentials (phished or reused) can be weaponized quickly.

Who Is Affected — SaaS CRM providers, their downstream customers in finance, healthcare, and other data‑intensive sectors; any organization that integrates EspoCRM via API or UI.

Recommended Actions

  • Verify whether any EspoCRM instances in your supply chain run version 9.3.3 or earlier.
  • Patch to the latest fixed release (≥ 9.3.4) or apply the vendor’s mitigation (input validation).
  • Rotate all privileged EspoCRM credentials and enforce MFA.
  • Conduct internal scans for SSRF payloads and monitor outbound traffic for anomalous internal requests.

Technical Notes — Authenticated SSRF via alternative IPv4 notation; CVE‑2026‑33534; exploit script available on Exploit‑DB; affects the web‑application layer and can be used to reach internal services such as metadata endpoints. Source: https://www.exploit-db.com/exploits/52583

📰 Original Source
https://www.exploit-db.com/exploits/52583

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →