Description
Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.
Published: 2026-05-26
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical Remote Code Execution vulnerability exists in the Twenty CRM platform from versions 1.7.7 through 1.16.7. An authenticated user can exploit a chained SQL injection and PostgreSQL COPY TO PROGRAM attack by injecting malicious content into the unsanitized timeZone parameter of the groupBy endpoint. The raw SQL expression is assembled using JavaScript template literals, allowing direct SQL execution that, if the database user is a super user, translates into arbitrary OS command execution on the database server. The impact is full control over the operating system and all data stored therein, representing a catastrophic breach.

Affected Systems

The affected systems are installations of the Twenty open‑source CRM provided by twentyhq, specifically any version in the 1.7.7 through 1.16.7 range. The vulnerability lies in the file get-group-by-expression.util.ts located under engine/api/graphql/graphql-query-runner/group-by/resolvers/utils. No other products or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 9.9 denotes a critical severity. The EPSS score is not available, so the current exploitation probability is unknown; however, because the attack requires only authentication and the presence of a super‑user database role, the risk is high. The vulnerability is not in the CISA KEV catalog. An attacker would authenticate to the CRM, submit a crafted timeZone value in the groupBy request, and cause the database to run arbitrary shell commands via COPY TO PROGRAM. Success depends on the database user having super‑user privileges, but many deployments configure the CRM with such privileges, amplifying the potential impact.

Generated by OpenCVE AI on May 26, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Twenty CRM to the latest patch version (any release after 1.16.7) that replaces the unsanitized query with a parameterized, validated version.
  • Reconfigure the PostgreSQL role used by the CRM so that it does not have superuser rights; at minimum grant the least required privileges to execute the application’s queries.
  • Modify the application to perform explicit validation or sanitization of the timeZone input, or replace the template literal interpolation with a parameterized query constructed by a safe query builder. This step is only a partial mitigation and should be applied if an upgrade cannot be performed immediately.

Generated by OpenCVE AI on May 26, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:twenty:twenty:*:*:*:*:*:*:*:*

Wed, 27 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Twenty
Twenty twenty
Vendors & Products Twenty
Twenty twenty

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.
Title Twenty: SQL Injection via the timeZone field
Weaknesses CWE-78
CWE-89
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Twenty Twenty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T18:58:23.725Z

Reserved: 2026-05-15T19:34:14.012Z

Link: CVE-2026-46624

cve-icon Vulnrichment

Updated: 2026-05-26T18:57:35.635Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:52.400

Modified: 2026-06-17T10:53:48.773

Link: CVE-2026-46624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:30:26Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')