PatchSiren cyber security CVE debrief
CVE-2026-49141 ArnasDon CVE debrief
CVE-2026-49141 is a medium-severity vulnerability in WACRM's automation engine, allowing authenticated attackers to access and modify contacts across tenant boundaries. The vulnerability exists due to a lack of tenant ownership verification in the POST request body, enabling attackers to supply an arbitrary caller-controlled contact_id and bypass row-level security.
- Vendor
- ArnasDon
- Product
- wacrm
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of WACRM, especially those with multi-tenant environments, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.1 and is classified as CWE-639. It allows attackers to modify victim contact fields, including name, email, and company, using only a known contact UUID.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the patch from commit 73041bf
- Review and update access controls for the automation engine
- Monitor for suspicious activity related to contact modifications
Evidence notes
Evidence of this vulnerability can be found in the commit history and advisory links provided.
Official resources
CVE-2026-49141 was published on 2026-06-08T20:17:01.997Z and modified on 2026-06-09T13:51:18.770Z.