Skip to main content

Twenty CRM CVE-2026-46624

| EUVDEUVD-2026-31907 CRITICAL
OS Command Injection (CWE-78)
2026-05-26 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:31 vuln.today
CVE Published
May 26, 2026 - 17:01 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.

AnalysisAI

Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.

Technical ContextAI

Twenty is an open-source CRM platform whose GraphQL/REST query runner builds PostgreSQL group_by expressions in engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts. The timeZone field inside the group_by query parameter is concatenated into a raw SQL fragment using JavaScript template literals, with no parameter binding, allow-listing, or escaping - a textbook CWE-78 (OS Command Injection) outcome enabled by SQL injection. PostgreSQL's COPY ... TO PROGRAM directive lets a superuser pipe query output through an OS command, so once SQLi is achieved on a database connection whose role has SUPERUSER, the injected statement reaches the underlying shell of the database host. The affected CPE is cpe:2.3:a:twentyhq:twenty covering all versions in the stated range.

RemediationAI

Upgrade Twenty CRM to a release later than 1.16.7 as described in the vendor advisory at https://github.com/twentyhq/twenty/security/advisories/GHSA-jgx4-6mr9-9573; the input data does not name a specific fixed tag, so upstream fix available per advisory but released patched version not independently confirmed - consult the GHSA before deploying. As immediate compensating controls, reconfigure the application's PostgreSQL role to remove SUPERUSER (this alone blocks COPY TO PROGRAM and downgrades the bug from RCE to SQLi, with the side effect that any Twenty features relying on superuser-only operations must be reviewed), block or proxy-filter the REST API groupBy endpoint at the reverse proxy to reject group_by parameters containing quote, semicolon, or COPY/PROGRAM tokens (may break legitimate group-by queries with unusual time zones), and restrict access to the API to trusted networks or via authenticated VPN since exploitation requires only a valid low-privilege account. Rotate database credentials and audit logs for unexpected COPY TO PROGRAM statements after patching.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-46624 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy