Executive Summary

CVE-2026-44729 is a Stored Cross-Site Scripting (XSS) vulnerability in Twenty CRM versions up to 1.18.0. The vulnerability arises because the file serving endpoints at /files/* and /file/:fileFolder/:id serve uploaded files without setting important HTTP response headers such as Content-Type, Content-Disposition, or X-Content-Type-Options.

This allows an authenticated attacker with Member role privileges to upload malicious HTML files containing JavaScript. When a victim accesses the uploaded file URL, the JavaScript executes in the context of the Twenty CRM domain.

The root cause is the use of fileStream.pipe(res) without setting security headers and a lack of file type validation during upload. Attackers exploit this by uploading malicious HTML files and tricking administrators or other users into accessing them.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to serious security impacts including session hijacking, account takeover, privilege escalation, and data theft.

Because the malicious JavaScript runs in the context of the Twenty CRM domain, attackers can gain full session access and exfiltrate sensitive data.

The CVSS score of 8.7 (High) reflects the severity of these impacts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if the Twenty CRM instance is serving files from the endpoints /files/* or /file/:fileFolder/:id without proper HTTP response headers such as Content-Type, Content-Disposition, or X-Content-Type-Options.

You can use HTTP request commands to check the response headers for these endpoints to see if the headers are missing or improperly set.

• Use curl to inspect headers of a file URL: curl -I https://your-twenty-crm-domain/files/somefile
• Look specifically for missing Content-Type, Content-Disposition, or X-Content-Type-Options headers in the response.
• Check for the presence of uploaded HTML files by authenticated users, especially those uploaded via the uploadWorkflowFile mutation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include setting proper HTTP response headers on the file serving endpoints to prevent execution of malicious scripts.

• Configure the server to set Content-Type, Content-Disposition, and X-Content-Type-Options headers when serving files.
• Implement file type validation and sanitization beyond just SVG files to prevent uploading of malicious HTML or JavaScript files.
• Consider serving uploaded files from a separate domain to isolate them from the main application domain.
• Restrict file upload permissions to trusted users and monitor uploaded files for suspicious content.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers to upload malicious HTML files that execute JavaScript in the context of the Twenty CRM domain, leading to session hijacking, account takeover, privilege escalation, and data theft.

Such unauthorized access and data theft can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability negatively impacts compliance with these common standards by exposing user data to potential theft and misuse.

Useful 0 Not Useful 0