Skip to main content

Wacrm

1 CVEs product

Monthly

CVE-2026-49141 MEDIUM PATCH This Month

Cross-tenant contact tampering in WACRM (arnasdon/wacrm) before commit 73041bf allows any authenticated tenant user to read and modify contacts owned by other tenants by passing an arbitrary contact_id to the automation engine endpoint, which invokes a Supabase service-role client that bypasses row-level security. The flaw is an IDOR/authorization bypass (CWE-639) reported by VulnCheck; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Wacrm
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-tenant contact tampering in WACRM (arnasdon/wacrm) before commit 73041bf allows any authenticated tenant user to read and modify contacts owned by other tenants by passing an arbitrary contact_id to the automation engine endpoint, which invokes a Supabase service-role client that bypasses row-level security. The flaw is an IDOR/authorization bypass (CWE-639) reported by VulnCheck; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Wacrm
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy