CVE-2026-46624
Received Received - Intake
Remote Code Execution in Twenty CRM via SQL Injection

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-46624
EUVD
EUVD-2026-31907
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
twenty crm From 1.7.7 (inc) to 1.16.7 (inc)
twentyhq twelve_crm From 1.7.7 (inc) to 1.16.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-46624 is a critical Remote Code Execution (RCE) vulnerability in Twenty CRM versions 1.7.7 through 1.16.7. It arises from a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. The vulnerability exists because the timeZone parameter in the REST API groupBy endpoint is directly inserted into raw SQL expressions without any sanitization, validation, or parameterization.

An authenticated user can exploit this flaw by injecting malicious SQL code through the unsanitized timeZone parameter. If the PostgreSQL user runs as a superuser (as in default Docker deployments), the attacker can execute arbitrary operating system commands on the database server by creating and executing shell scripts via stacked SQL queries.


How can this vulnerability impact me? :

This vulnerability allows an authenticated user to execute arbitrary OS commands on the database server, potentially leading to full compromise of the server hosting Twenty CRM.

  • Complete loss of confidentiality, as attackers can access sensitive data stored in the database.
  • Loss of integrity, since attackers can modify or delete data.
  • Loss of availability, as attackers can disrupt or disable the database server.
  • No administrative privileges are required to exploit this vulnerability, making it easier for attackers to leverage.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves identifying attempts to exploit the unsanitized timeZone parameter in the REST API groupBy endpoint of Twenty CRM versions 1.7.7 through 1.16.7.

You can monitor logs for suspicious SQL injection patterns or unusual commands targeting the groupBy endpoint, especially those including SQL keywords or attempts to use PostgreSQL COPY TO PROGRAM functionality.

Example commands to detect exploitation attempts might include searching web server or application logs for requests containing the groupBy endpoint with suspicious timeZone parameter values.

  • Using grep to find suspicious requests in logs: grep -i 'groupBy.*timeZone' /var/log/twentycrm/access.log
  • Searching for SQL keywords or COPY TO PROGRAM usage in logs: grep -E '(COPY TO PROGRAM|;|--|\bselect\b|\binsert\b|\bupdate\b)' /var/log/twentycrm/access.log

Additionally, monitoring PostgreSQL logs for unusual COPY TO PROGRAM commands or shell script executions can help detect exploitation.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Upgrade Twenty CRM to a version later than 1.16.7 where this vulnerability is fixed.
  • If upgrading is not immediately possible, restrict access to the REST API groupBy endpoint to trusted users only.
  • Limit PostgreSQL superuser privileges, especially in Docker deployments, to prevent exploitation of COPY TO PROGRAM.
  • Implement input validation and sanitization on the timeZone parameter to prevent SQL injection.
  • Monitor logs for suspicious activity and respond promptly to any detected exploitation attempts.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart