Vulnerability in Twenty CRM File Serving Endpoints Exploitable by Authenticated Attackers
CVE-2026-44729

8.7HIGH

Key Information:

Vendor: Twentyhq
Status: Twenty
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44729?

An identified vulnerability allows an authenticated attacker to upload an HTML file that includes JavaScript to Twenty CRM. This is due to improper handling of file serving endpoints, which do not set critical HTTP response headers like Content-Type, Content-Disposition, or X-Content-Type-Options. Consequently, when a victim accesses the uploaded file, the JavaScript is executed within the context of the Twenty CRM domain. This exploit can lead to session hijacking, unauthorized access, and potential data theft, emphasizing the need for mitigative measures to secure file handling processes.

Affected Version(s)

twenty <= 1.18.0

References

https://github.com/twentyhq/twenty/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44729 Data

JSON

Twentyhq

What is CVE-2026-44729?

Affected Version(s)

References

CVSS V3.1

Timeline