Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
Fat Free CRM allows any user to delete emails of others
GHSA-9pm8-vwc5-w2hm
Summary
A bug in Fat Free CRM allows any authenticated user to delete emails that belong to other users when the Email Dropbox feature is in use. This means someone could delete important emails from another user's account. To fix this, update to version 0.26.0 or consider disabling the Email Dropbox feature until a fix is available.
What to do
- Update michael dvorkin fat_free_crm to version 0.26.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| rubygems | michael dvorkin | fat_free_crm |
< 0.26.0 Fix: upgrade to 0.26.0
|
Original title
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID
Original description
### Impact
Authenticated users can delete emails imported into the system assigned to another user; where the [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox) is in use.
### Patches
Fixed in v0.26.0
### Workarounds
Disable use of email dropbox.
Authenticated users can delete emails imported into the system assigned to another user; where the [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox) is in use.
### Patches
Fixed in v0.26.0
### Workarounds
Disable use of email dropbox.
ghsa CVSS4.0
2.1
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026