GHSA-9pm8-vwc5-w2hm (fat_free_crm): Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

Published: April 14, 2026

SECURITY IDENTIFIERS

GHSA: GHSA-9pm8-vwc5-w2hm
Vendor Advisory: https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-9pm8-vwc5-w2hm

GEM

fat_free_crm

SEVERITY

CVSS v3.x: 2.1 (Low)

PATCHED VERSIONS

>= 0.26.0

DESCRIPTION

Fat Free CRM has BOLA (Broken Object Level Authorization) in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

Impact

Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use.

Workarounds

Disable use of email dropbox.

https://rubygems.org/gems/fat_free_crm/versions/0.26.0
https://github.com/fatfreecrm/fat_free_crm/releases/tag/v0.26.0
https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-9pm8-vwc5-w2hm
https://github.com/advisories/GHSA-9pm8-vwc5-w2hm

RubySec