Twenty
CVE-2026-27023
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.
AnalysisAI
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.
Technical ContextAI
Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Twenty. Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.
RemediationAI
Fixed in version 1.18.. Restrict network access to the affected service where possible.
Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CR
The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. Rated high severi
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS com
The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload. Rated medium severity (CVSS 5.4), this vuln
Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScri
Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a w
Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious Ja
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today