CVE-2026-46624
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Twenty CRM via SQL Injection

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-46624
EUVD
EUVD-2026-31907
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
twenty twenty From 1.7.7 (inc) to 1.16.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to execute arbitrary OS commands on the database server, potentially compromising the confidentiality, integrity, and availability of data stored within Twenty CRM.

Such a compromise could lead to unauthorized access, modification, or destruction of sensitive personal or health information, which would negatively impact compliance with data protection regulations such as GDPR and HIPAA.

Because the vulnerability enables full control over the database server without requiring administrative privileges, it poses a significant risk to maintaining the security controls mandated by these standards.

Executive Summary

CVE-2026-46624 is a critical Remote Code Execution (RCE) vulnerability in Twenty CRM versions 1.7.7 through 1.16.7. It arises from a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. The vulnerability exists because the timeZone parameter in the REST API groupBy endpoint is directly inserted into raw SQL expressions without any sanitization, validation, or parameterization.

An authenticated user can exploit this flaw by injecting malicious SQL code through the unsanitized timeZone parameter. If the PostgreSQL user runs as a superuser (as in default Docker deployments), the attacker can execute arbitrary operating system commands on the database server by creating and executing shell scripts via stacked SQL queries.

Impact Analysis

This vulnerability allows an authenticated user to execute arbitrary OS commands on the database server, potentially leading to full compromise of the server hosting Twenty CRM.

  • Complete loss of confidentiality, as attackers can access sensitive data stored in the database.
  • Loss of integrity, since attackers can modify or delete data.
  • Loss of availability, as attackers can disrupt or disable the database server.
  • No administrative privileges are required to exploit this vulnerability, making it easier for attackers to leverage.
Detection Guidance

Detection of this vulnerability involves identifying attempts to exploit the unsanitized timeZone parameter in the REST API groupBy endpoint of Twenty CRM versions 1.7.7 through 1.16.7.

You can monitor logs for suspicious SQL injection patterns or unusual commands targeting the groupBy endpoint, especially those including SQL keywords or attempts to use PostgreSQL COPY TO PROGRAM functionality.

Example commands to detect exploitation attempts might include searching web server or application logs for requests containing the groupBy endpoint with suspicious timeZone parameter values.

  • Using grep to find suspicious requests in logs: grep -i 'groupBy.*timeZone' /var/log/twentycrm/access.log
  • Searching for SQL keywords or COPY TO PROGRAM usage in logs: grep -E '(COPY TO PROGRAM|;|--|\bselect\b|\binsert\b|\bupdate\b)' /var/log/twentycrm/access.log

Additionally, monitoring PostgreSQL logs for unusual COPY TO PROGRAM commands or shell script executions can help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Twenty CRM to a version later than 1.16.7 where this vulnerability is fixed.
  • If upgrading is not immediately possible, restrict access to the REST API groupBy endpoint to trusted users only.
  • Limit PostgreSQL superuser privileges, especially in Docker deployments, to prevent exploitation of COPY TO PROGRAM.
  • Implement input validation and sanitization on the timeZone parameter to prevent SQL injection.
  • Monitor logs for suspicious activity and respond promptly to any detected exploitation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46624. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart