CVE-2026-49141
Received Received - Intake
Authorization Bypass in WACRM Automation Engine

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulnCheck

Description
WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-49141
EUVD
EUVD-2026-35194
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49141 is an authorization bypass vulnerability in the automation engine of WACRM versions prior to commit 73041bf. It allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary contact_id in a POST request without verifying tenant ownership.

The vulnerability exploits a service-role client that bypasses row-level security, enabling attackers to modify victim contact fields such as name, email, and company across tenant boundaries using only a known contact UUID.

Impact Analysis

This vulnerability can lead to unauthorized access and modification of contact information across tenant boundaries in the WACRM system.

  • Attackers can change sensitive contact fields like name, email, and company for contacts that do not belong to their tenant.
  • Such unauthorized modifications can compromise data integrity and confidentiality.
  • It may result in data leakage or manipulation that affects business operations or trust between tenants.
Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized POST requests to the automation engine that include arbitrary or foreign contact_id values in the request body, which do not belong to the authenticated tenant.

Since the vulnerability allows modification of contacts across tenant boundaries using a known contact UUID, detection can focus on identifying suspicious automation engine requests where contact IDs are manipulated or do not match the tenant context.

Commands or methods to detect this may include:

  • Inspecting web server or application logs for POST requests to the automation engine endpoint containing contact_id parameters that do not belong to the authenticated tenant.
  • Using network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze HTTP POST requests for unusual or unauthorized contact_id values.
  • Querying application logs or databases for contact modifications where the modifying user or service-role client does not match the contact's tenant ownership.
  • Example command to search logs for suspicious POST requests (assuming logs are in JSON or text format):
  • grep -i 'POST' /var/log/app/access.log | grep 'contact_id=' | grep -v 'tenant_id=<expected_tenant_id>'
  • Using API request tracing or auditing features to verify that contact_id parameters in automation engine calls are validated against tenant ownership.
Mitigation Strategies

Immediate mitigation steps include applying the security fix introduced in commit 73041bf or later, which enforces tenant ownership verification for contact IDs in the automation engine.

Specifically, the fix adds an ownership guard in the function handling automation triggers to verify that the supplied contact_id belongs to the authenticated tenant before processing any automation steps.

Additional mitigation measures include:

  • Updating the WACRM system to the latest patched version that includes the fix.
  • Ensuring that all database queries and service-role client operations related to contacts are scoped by tenant or account ID to prevent cross-tenant access.
  • Reviewing and restricting access to the service-role client to minimize the risk of abuse.
  • Implementing monitoring and alerting for suspicious automation engine activity involving contact modifications.
Compliance Impact

The vulnerability allows authenticated attackers to bypass authorization controls and access or modify contact information belonging to other tenants without proper tenant ownership verification.

Such unauthorized cross-tenant access and modification of personal data (including name, email, and company) can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and tenant data isolation to protect personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to unauthorized disclosure and modification of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49141. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart