PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44729 twentyhq CVE debrief

## Summary Twenty CRM versions 1.18.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in file serving endpoints. The application serves uploaded files without setting security headers (Content-Type, Content-Disposition, X-Content-Type-Options), allowing authenticated attackers to upload HTML files with embedded JavaScript that executes in the victim's browser within the Twenty CRM domain context. ## Technical Details The vulnerability exists in two file serving endpoints: `/files/*` and `/file/:fileFolder/:id`. These endpoints use `fileStream.pipe(res)` to serve uploaded files without proper response header configuration. The absence of: - **Content-Type**: Allows browsers to sniff and interpret HTML files as executable content - **Content-Disposition**: Prevents forcing file download instead of inline rendering - **X-Content-Type-Options**: Permits MIME-type sniffing that can override intended content handling An authenticated attacker can exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user accesses the file through the vulnerable endpoint, the script executes with full access to the Twenty CRM domain's cookies, session tokens, and authenticated API calls. ## Impact Assessment **CVSS 3.1 Score: 8.7 (HIGH)** Attack vectors enabled include: - Session hijacking via cookie theft - Account takeover through authenticated API abuse - Unauthorized data exfiltration from CRM records - Privilege escalation if administrative users trigger the payload The vulnerability requires authenticated access to upload files but can affect any user who subsequently accesses the malicious file, including higher-privileged accounts. ## Affected Versions - Twenty CRM 1.18.0 and earlier ## Detection Guidance Monitor for: - HTML file uploads to CRM file storage - Unexpected outbound requests originating from `/files/*` or `/file/*` paths - Anomalous session activity following file access events - Absence of `X-Content-Type-Options: nosniff` header in file download responses ## Remediation Upgrade to a patched version of Twenty CRM that implements proper security headers for file serving endpoints. As interim

Vendor
twentyhq
Product
twenty
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

Twenty CRM administrators, security teams monitoring open-source CRM deployments, and organizations using Twenty for customer relationship management with file sharing capabilities.

Technical summary

Missing security headers in Twenty CRM file serving endpoints (/files/*, /file/:fileFolder/:id) enable stored XSS. fileStream.pipe(res) implementation lacks Content-Type, Content-Disposition, and X-Content-Type-Options, allowing uploaded HTML with JavaScript to execute in victim browser context. Authenticated attack vector. CVSS 8.7 HIGH.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Twenty CRM to a version later than 1.18.0 that implements proper Content-Type, Content-Disposition, and X-Content-Type-Options headers for file serving endpoints
  • Implement Web Application Firewall (WAF) rules to block HTML file uploads or force Content-Disposition: attachment for file downloads pending patch
  • Review file upload permissions to restrict HTML content types if business requirements permit
  • Monitor access logs for requests to /files/* and /file/* paths with suspicious referrers or subsequent anomalous API activity
  • Validate that file serving responses include X-Content-Type-Options: nosniff header after upgrade

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-f5h2-3qw5-3qp7. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified as primary weakness. CVSS vector confirms network attack vector, low attack complexity, required privileges, user interaction, and changed scope with high confidentiality and integrity impact.

Official resources

2026-05-26T17:16:46.837Z