No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Fri, 10 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | EspoCRM 5.7.0 prior to 5.9.0 contains an authentication token reuse vulnerability that allows authenticated attackers to bypass two-factor authentication by exploiting token-to-password-hash mapping in application/Espo/Core/Utils/Authentication/Espo.php. Attackers can obtain an authentication token for a controlled account and replay it against any victim account sharing the same password, since tokens are bound to password hashes rather than unique per-user values, bypassing the victim's 2FA protections. |
| Title | EspoCRM 5.8.5 - Privilege Escalation | EspoCRM 5.7.0 < 5.9.0 - Two-Factor Authentication Bypass via Auth Token Reuse Between Accounts with Identical Passwords |
| Weaknesses | CWE-303 | |
| CPEs | ||
| References |
| |
| Metrics |
cvssV3_1
|
cvssV3_1
|
Thu, 05 Mar 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:espocrm:espocrm:5.8.5:*:*:*:*:*:*:* |
Tue, 03 Mar 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:* |
Wed, 04 Feb 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 04 Feb 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Espocrm
Espocrm espocrm |
|
| Vendors & Products |
Espocrm
Espocrm espocrm |
Tue, 03 Feb 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | |
| Title | EspoCRM 5.8.5 - Privilege Escalation | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T01:24:24.326Z
Reserved: 2026-02-01T13:16:06.487Z
Link: CVE-2020-37094
Updated: 2026-02-04T19:36:36.403Z
Status : Analyzed
Published: 2026-02-03T22:16:25.673
Modified: 2026-06-17T03:16:57.420
Link: CVE-2020-37094
No data.
OpenCVE Enrichment
Updated: 2026-02-04T12:05:01Z