Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 10 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | EspoCRM 5.7.0 prior to 5.9.0 contains an authentication token reuse vulnerability that allows authenticated attackers to bypass two-factor authentication by exploiting token-to-password-hash mapping in application/Espo/Core/Utils/Authentication/Espo.php. Attackers can obtain an authentication token for a controlled account and replay it against any victim account sharing the same password, since tokens are bound to password hashes rather than unique per-user values, bypassing the victim's 2FA protections. |
| Title | EspoCRM 5.8.5 - Privilege Escalation | EspoCRM 5.7.0 < 5.9.0 - Two-Factor Authentication Bypass via Auth Token Reuse Between Accounts with Identical Passwords |
| Weaknesses | CWE-303 | |
| CPEs | ||
| References |
| |
| Metrics |
cvssV3_1
|
cvssV3_1
|
Thu, 05 Mar 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:espocrm:espocrm:5.8.5:*:*:*:*:*:*:* |
Tue, 03 Mar 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:* |
Wed, 04 Feb 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 04 Feb 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Espocrm
Espocrm espocrm |
|
| Vendors & Products |
Espocrm
Espocrm espocrm |
Tue, 03 Feb 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | |
| Title | EspoCRM 5.8.5 - Privilege Escalation | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T01:24:24.326Z
Reserved: 2026-02-01T13:16:06.487Z
Link: CVE-2020-37094
Updated: 2026-02-04T19:36:36.403Z
Status : Analyzed
Published: 2026-02-03T22:16:25.673
Modified: 2026-06-17T03:16:57.420
Link: CVE-2020-37094
No data.
OpenCVE Enrichment
Updated: 2026-02-04T12:05:01Z