CVE-2026-55583
Received Received - Intake
Twenty Cross-Workspace IDOR in AI Agent Monitor

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Twenty is an open-source CRM (customer relationship management) platform. Prior to 2.9.0, Twenty was vulnerable to a cross-workspace insecure direct object reference (IDOR) in the AI agent monitor's AgentTurnResolver, in packages/twenty-server/src/engine/metadata-modules/ai/ai-agent-monitor/reso lvers/agent-turn.resolver.ts. The agentTurns(agentId) query and the evaluateAgentTurn(turnId) mutation looked up rows by agentId or id only; although AgentTurnEntity has a workspaceId column, it was not included in the WHERE clause, and the class-level guards only checked that the caller was authenticated in some workspace rather than that the requested object belonged to it, with the same flaw present in agent-turn-grader.service.ts. As a result, any authenticated user with the AI settings flag, a workspace owner by default, could target any other workspace on the same instance given the victim's agentId or turnId: agentTurns returned the victim's full chat history including message parts such as raw chat text, tool calls, and tool outputs, while evaluateAgentTurn inserted an agentTurnEvaluation row with the victim's workspaceId and fed the victim's turn into the default LLM. The agentId and turnId are non-guessable UUIDs but are exposed in the URL of the settings page. This issue is fixed in version 2.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-55583
EUVD
EUVD-2026-39051
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
twentyhq twenty to 2.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the open-source CRM platform Twenty prior to version 2.9.0. It is a cross-workspace insecure direct object reference (IDOR) issue in the AI agent monitor's AgentTurnResolver component. Specifically, queries and mutations that retrieve or evaluate agent turns used only the agentId or turnId to look up data, without verifying that the requested data belonged to the caller's workspace. Although the data includes a workspaceId column, it was not checked in the query conditions, and the authentication guards only verified that the user was authenticated in some workspace, not the correct one.

As a result, any authenticated user with the AI settings flag (which is granted by default to workspace owners) could access or manipulate data belonging to other workspaces on the same instance if they knew the victim's agentId or turnId. These IDs are UUIDs and not guessable but are exposed in the URL of the settings page. The exposed data includes the victim's full chat history, raw chat text, tool calls, and outputs. Additionally, the evaluateAgentTurn mutation could insert evaluation data into the victim's workspace and feed their data into the default large language model (LLM). This vulnerability was fixed in version 2.9.0.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data across different workspaces within the same Twenty instance. An attacker who is authenticated and has the AI settings flag can view another workspace's full chat history, including raw chat texts, tool calls, and outputs. This exposure can result in information leakage of potentially confidential or private communications.

Moreover, the attacker can manipulate data by inserting evaluations into another workspace, potentially affecting the integrity of the victim's data and the behavior of AI-driven features. This can undermine trust in the system and lead to misuse or abuse of the platform's AI capabilities.

Mitigation Strategies

The vulnerability is fixed in Twenty version 2.9.0. Immediate mitigation involves upgrading the Twenty CRM platform to version 2.9.0 or later.

Since the issue allows authenticated users with the AI settings flag to access other workspaces' data, restricting or reviewing user permissions related to AI settings and workspace ownership can help reduce risk until the upgrade is applied.

Compliance Impact

This vulnerability allows unauthorized access to sensitive data from other workspaces, including full chat histories with raw message content, tool calls, and outputs. Such unauthorized data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

Because the vulnerability results in confidentiality loss due to improper authorization checks, affected organizations using the Twenty CRM platform could face compliance risks related to unauthorized disclosure of protected data.

Detection Guidance

This vulnerability can be detected by attempting to access or modify data from other workspaces using known agentId or turnId values while authenticated with the AI settings flag enabled.

Since the agentId and turnId are UUIDs exposed in the URL of the settings page, monitoring HTTP requests to the agentTurns(agentId) query or evaluateAgentTurn(turnId) mutation endpoints for unauthorized access attempts can help detect exploitation.

Suggested commands include using tools like curl or HTTP clients to simulate requests with different agentId or turnId values to verify if cross-workspace data access is possible.

  • Example curl command to test read access: curl -H "Authorization: Bearer <token>" -X POST -d '{"query":"query { agentTurns(agentId: \"<target-agentId>\") { id, messages } }"}' https://<twenty-instance>/graphql
  • Example curl command to test write access: curl -H "Authorization: Bearer <token>" -X POST -d '{"query":"mutation { evaluateAgentTurn(turnId: \"<target-turnId>\") { id } }"}' https://<twenty-instance>/graphql

Monitoring logs for such requests and verifying if data from other workspaces is returned or if unauthorized insertions occur can help detect the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55583. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart