WACRM Authorization Bypass via Automation Engine Endpoint
CVE-2026-49141

5.1MEDIUM

Key Information:

Vendor: Arnasdon
Status: Wacrm
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-49141?

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

Affected Version(s)

wacrm 0

References

https://github.com/ArnasDon/wacrm/pull/194

issue-tracking

https://github.com/ArnasDon/wacrm/commit/73041bfa6420f5e1...

patch

https://www.vulncheck.com/advisories/wacrm-authorization-...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 27, 2026

Credit

Midhun Mohanan

VulnCheck

CVE-2026-49141 Data

JSON

Arnasdon

What is CVE-2026-49141?

Affected Version(s)

References

CVSS V4

Timeline

Credit