Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27023 is a Server-Side Request Forgery (SSRF) vulnerability in the SecureHttpClientService of the open source CRM called Twenty, affecting versions prior to 1.18.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the SSRF protection only validated the IP address of the initial request URL but did not validate the IP addresses of HTTP redirect targets. This means that an authenticated user who can control outbound request URLs (like webhook endpoints or image URLs) could bypass private IP blocking by redirecting requests through an attacker-controlled server.'}, {'type': 'paragraph', 'content': "Additionally, the HTTP adapter used automatically follows redirects without revalidating the redirected URLs' IPs, and cross-protocol redirects (e.g., HTTPS to HTTP) bypassed certain security agents, further enabling the bypass."}, {'type': 'paragraph', 'content': 'This issue was patched in version 1.18 by moving IP validation from the request level to the connection level, ensuring every TCP connection, including those from redirects, is validated.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

An authenticated attacker with low privileges and no user interaction required can exploit this vulnerability to bypass private IP blocking and access internal network resources.

This can allow the attacker to read internal network responses, potentially exposing confidential data such as sensitive cloud metadata endpoints.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 5.0, indicating a significant risk of confidentiality impact.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves SSRF attacks exploiting redirect targets that bypass IP validation. Detection would involve monitoring outbound HTTP requests, especially those that follow redirects, and inspecting if any requests are redirected to private or sensitive IP addresses such as internal network ranges or cloud metadata endpoints (e.g., 169.254.169.254).

Since the vulnerability is related to authenticated users controlling outbound request URLs (like webhook endpoints or image URLs), reviewing logs for unusual or unexpected outbound requests and redirects can help detect exploitation attempts.

Specific commands are not provided in the resources, but general network monitoring commands could include:

• Using tcpdump or Wireshark to capture and analyze outbound HTTP traffic and redirects.
• Using curl with verbose output to manually test webhook or image URLs for unexpected redirects, e.g., `curl -v <URL>`.
• Checking application logs for outbound HTTP requests and their redirect chains.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the twenty CRM software to version 1.18 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch moves IP validation from the request level to the connection level, ensuring that every TCP connection, including those from redirects, is validated to prevent SSRF bypass.'}, {'type': 'paragraph', 'content': "Until the upgrade is applied, restrict authenticated users' ability to control outbound request URLs, such as webhook endpoints or image URLs, to trusted domains only."}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict outbound HTTP redirects and implement network-level controls to block unauthorized access to private IP ranges and sensitive endpoints.'}] [2, 1]

Useful 0 Not Useful 0