Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
Fat Free CRM Allows Anyone to Delete Emails
GHSA-9pm8-vwc5-w2hm
Summary
Authenticated users can delete emails assigned to others if the Email Dropbox feature is enabled. This is a security risk, so update to version 0.26.0 or disable the Email Dropbox feature to prevent unauthorized email deletion.
What to do
- Update michael dvorkin fat_free_crm to version 0.26.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| michael dvorkin | fat_free_crm | <= 0.26.0 | 0.26.0 |
Original title
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID
Original description
### Impact
Authenticated users can delete emails imported into the system assigned to another user; where the [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox) is in use.
### Patches
Fixed in v0.26.0
### Workarounds
Disable use of email dropbox.
Authenticated users can delete emails imported into the system assigned to another user; where the [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox) is in use.
### Patches
Fixed in v0.26.0
### Workarounds
Disable use of email dropbox.
osv CVSS4.0
7.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026