CVE-2026-26720
Received Received - Intake
Remote Code Execution in Twenty CRM via local.driver.ts Module

Publication date: 2026-03-02

Last updated on: 2026-03-04

Assigner: MITRE

Description
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26720
EUVD
EUVD-2026-9194
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
twenty twenty to 1.15.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26720 is a critical Remote Code Execution (RCE) vulnerability in Twenty CRM version 1.15.0 and earlier, specifically in its Workflow Automation feature called "Code - Serverless Function."'}, {'type': 'paragraph', 'content': 'The issue arises because user-supplied Node.js code is executed directly within the main server process without any sandboxing, isolation, or restrictions. This means that an attacker with workflow creation permissions can run arbitrary Node.js code on the server.'}, {'type': 'paragraph', 'content': 'Technically, the vulnerability allows importing sensitive Node.js modules like child_process to execute system-level shell commands, read sensitive files such as /etc/passwd, and access environment variables containing secrets like database credentials and API keys.'}] [2, 3]

Impact Analysis

This vulnerability can lead to a full system compromise in self-hosted Twenty CRM deployments.

  • Confidentiality breach by reading sensitive system files and environment variables containing database credentials, API keys, and application secrets.
  • Integrity compromise by modifying application code, injecting malware, or forging JWT tokens to impersonate any user including administrators.
  • Availability disruption by exhausting server resources or shutting down services.
  • Lateral movement within the deployment’s private network to access other services like Postgres and Redis.
  • Persistence through filesystem modifications, cron jobs, or backdoors.
  • Potential for data exfiltration, reverse shells, and execution of secondary malicious payloads.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Twenty CRM deployment is version 1.15.0 or earlier and if the Workflow Automation feature "Code - Serverless Function" is enabled and accessible to authenticated users with workflow creation permissions.'}, {'type': 'paragraph', 'content': 'To detect exploitation or test for the vulnerability, you can attempt to run commands through the vulnerable serverless function environment, such as executing system commands like `cat /etc/passwd`, `ls`, or `whoami` via the workflow interface.'}, {'type': 'paragraph', 'content': "Specifically, commands that exploit the child_process module's execSync function can be used to verify if arbitrary code execution is possible."}, {'type': 'list_item', 'content': 'Use the workflow feature to run a payload that executes `cat /etc/passwd` and observe if the contents of the file are returned.'}, {'type': 'list_item', 'content': 'Attempt to execute `whoami` or `ls` commands via the serverless function to check if system commands run successfully.'}, {'type': 'list_item', 'content': 'Check for unexpected environment variable disclosures by attempting to dump `process.env` through the workflow function.'}] [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable Workflow Automation feature and limiting workflow creation permissions to trusted users only.

Architectural and configuration changes should be applied to isolate user-supplied code execution and prevent arbitrary code execution with full server privileges.

  • Implement strict sandboxing for serverless function execution, such as using VM2 sandbox, isolated Docker containers without network or volume access, or micro-VMs like Firecracker.
  • Restrict or disable access to sensitive Node.js modules including child_process, fs, and net within the serverless function environment.
  • Prevent inheritance of environment variables containing secrets by scrubbing or isolating the execution context before running user code.
  • Consider architectural changes such as forking user functions into separate child processes or worker threads running under restricted OS users with limited filesystem and network access.
  • If possible, disable or avoid using the vulnerable local.driver.ts module or upgrade once a patch is available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart