Remote Code Execution Vulnerability in Twenty CRM by Twenty
CVE-2026-46624

9.9CRITICAL

Key Information:

Vendor: Twentyhq
Status: Twenty
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-46624?

Twenty CRM, an open-source customer relationship management tool, has a significant vulnerability that allows for remote code execution through a chained SQL injection exploit. This issue, present in versions 1.7.7 through 1.16.7, allows any authenticated user to execute arbitrary operating system commands on the database server. The vulnerability arises from the misuse of the unsanitized timeZone parameter within the REST API's groupBy endpoint, where the parameter is directly interpolated into a raw SQL expression, facilitating the execution of potentially harmful SQL commands without proper validation or escaping. This raises serious security concerns for users with a PostgreSQL superuser configuration.

Affected Version(s)

twenty >= 1.7.7, <= 1.16.7

References

https://github.com/twentyhq/twenty/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 15, 2026

CVE-2026-46624 Data

JSON

Twentyhq

What is CVE-2026-46624?

Affected Version(s)

References

CVSS V3.1

Timeline