GHSA-9pm8-vwc5-w2hm: Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

April 14, 2026

Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use.

References

github.com/advisories/GHSA-9pm8-vwc5-w2hm
github.com/fatfreecrm/fat_free_crm
github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-9pm8-vwc5-w2hm

Code Behaviors & Features

Detect and mitigate GHSA-9pm8-vwc5-w2hm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →