Description
Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.
Published: 2026-03-05
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF bypass allowing authenticated users to reach internal network resources through redirects
Action: Patch immediately
AI Analysis

Impact

Twenty is an open-source CRM that, prior to version 1.18, implemented SSRF protection by validating the URLs supplied to its secure HTTP client at the time a request was made. However, the validator did not inspect URLs presented in HTTP redirect responses. An attacker who could influence an outbound request URL—such as configuring a webhook endpoint, an image URL, or any other externally supplied address—could engineer a redirect chain that points to an internal IP address. When the CRM followed the redirect, the request would be sent to the private network, potentially exposing internal services. This flaw is classified as CWE‑918 and can compromise confidentiality and integrity of data within the organization.

Affected Systems

The vulnerability exists in every release of the Twenty application before version 1.18. The product is delivered by twentyhq as the "twenty" open-source CRM. Upgrading to version 1.18 or later removes the defect by ensuring that redirect targets are also validated against the same URL restrictions.

Risk and Exploitability

The CVSS score of 5.0 indicates medium severity, and the EPSS score of less than 1 % suggests a very low likelihood of exploitation at this time. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that the attacker obtains authenticated access to the CRM and can set arbitrary outbound URLs, after which the redirect-bypass attack can be carried out remotely with relative ease. Despite the low exploitation probability, the potential to expose internal network resources justifies prompt remediation.

Generated by OpenCVE AI on April 18, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Twenty version 1.18 or later to apply the official patch that validates redirect targets
  • If upgrading is not immediately possible, reuse configuration or policy controls to eliminate or strictly limit the ability of authenticated users to specify outbound URLs such as webhook endpoints or image locations
  • Deploy network-level controls—such as firewall rules or application proxies—to block outgoing connections from the CRM to private IP ranges, providing a secondary defense against SSRF

Generated by OpenCVE AI on April 18, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:twenty:twenty:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Twenty
Twenty twenty
Vendors & Products Twenty
Twenty twenty

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.
Title Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Twenty Twenty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:11:48.950Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27023

cve-icon Vulnrichment

Updated: 2026-03-06T15:50:56.993Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:05.493

Modified: 2026-03-10T18:25:40.727

Link: CVE-2026-27023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses