CVE-2026-46624

9.9 CRITICAL

Twenty is an open source CRM

Published: 2026-05-26 · Last updated: 2026-05-27

Severity and scoring

CVSS: 9.9 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-78, CWE-89

Affected products

Vendor	Product
twenty	twenty

Description

Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-46624
[Vendor advisory]https://github.com/twentyhq/twenty/security/advisories/GHSA-jgx4-6mr9-9573
[Vendor advisory]https://github.com/twentyhq/twenty/security/advisories/GHSA-jgx4-6mr9-9573

Related CVEs

Same vendor

CVE-2026-44729 — Twenty is an open source CRM (8.7 HIGH)

Same CWE

CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
CVE-2026-42563 — Dulwich is a pure-Python implementation of the Git file formats and protocols
CVE-2026-0273 — A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrict...
CVE-2026-6893 — A flaw was found in dracut (8.8 HIGH)
CVE-2026-46643 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page