PatchSiren cyber security CVE debrief
CVE-2026-46624 twentyhq CVE debrief
A critical remote code execution vulnerability exists in Twenty CRM versions 1.7.7 through 1.16.7. The vulnerability stems from unsanitized user input in the timeZone parameter of the REST API groupBy endpoint, where the parameter is directly interpolated into raw SQL using JavaScript template literals without parameterization, validation, or escaping. An authenticated attacker can exploit this SQL injection to chain into a PostgreSQL COPY TO PROGRAM attack, achieving arbitrary operating system command execution on the database server when the PostgreSQL user has superuser privileges. The affected component is located at engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts. This vulnerability carries a CVSS 3.1 score of 9.9 (Critical) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low complexity, low privileges required, no user interaction, changed scope, and high impacts to confidentiality, integrity, and availability. The weakness classifications include CWE-78 (OS Command Injection) and CWE-89 (SQL Injection).
- Vendor
- twentyhq
- Product
- twenty
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations running Twenty CRM versions 1.7.7 through 1.16.7, particularly those with externally accessible instances and PostgreSQL superuser configurations. Security teams responsible for CRM application security, database administrators managing PostgreSQL instances supporting Twenty CRM, and DevOps engineers maintaining Twenty CRM deployments should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the groupBy GraphQL resolver utility where the timeZone field from the group_by query parameter is concatenated directly into a SQL expression using JavaScript template literal syntax. This lack of parameterized queries allows an attacker to inject malicious SQL. When combined with PostgreSQL superuser privileges, the injected SQL can leverage the COPY TO PROGRAM statement to execute arbitrary shell commands on the underlying operating system. The attack chain requires: (1) valid authentication to the Twenty CRM instance, (2) ability to invoke the groupBy REST API endpoint, and (3) PostgreSQL database user with superuser privileges. The vulnerability is classified as critical due to the potential for complete system compromise with relatively low attacker prerequisites.
Defensive priority
critical
Recommended defensive actions
- Upgrade Twenty CRM to a version beyond 1.16.7 as soon as a patched release is available
- Restrict PostgreSQL database user privileges to remove superuser access if not strictly required
- Implement network segmentation to limit database server exposure
- Review and audit groupBy API endpoint usage in access logs for anomalous timeZone parameter values
- Apply principle of least privilege to all database connections used by the application
- Consider Web Application Firewall rules to detect and block SQL injection patterns in the group_by query parameter
Evidence notes
Vulnerability confirmed through official GitHub Security Advisory GHSA-jgx4-6mr9-9573. Affected versions explicitly bounded: 1.7.7 through 1.16.7. Attack requires authenticated access and superuser PostgreSQL privileges. SQL injection point identified in specific source file path.
Official resources
-
CVE-2026-46624 CVE record
CVE.org
-
CVE-2026-46624 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Exploit
2026-05-26