SSRF Vulnerability in Twenty CRM by TwentyHQ
CVE-2026-33975

8.3HIGH

Key Information:

Vendor: Twentyhq
Status: Twenty
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-33975?

The SSRF vulnerability found in Twenty CRM versions up to 1.18.0 allows an authenticated user to bypass security measures using IPv4-mapped IPv6 addresses. The SecureHttpClientService's protection mechanism fails to recognize these addresses correctly, enabling potential access to internal IPs and sensitive cloud metadata endpoints. This could lead to unauthorized data exfiltration, including compromising crucial credentials like IAM keys, posing serious security risks to users.

Affected Version(s)

twenty <= 1.18.0

References

https://github.com/twentyhq/twenty/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 24, 2026

CVE-2026-33975 Data

JSON

Twentyhq

What is CVE-2026-33975?

Affected Version(s)

References

CVSS V4

Timeline