Description
WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.
Published: 2026-06-08
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in WACRM’s automation engine allows an authenticated attacker to bypass tenant isolation by providing an arbitrary contact_id in a POST request. Because the service‑role client ignores row‑level security, the attacker can read and modify contact fields—name, email, and company—on any tenant without ownership verification.

Affected Systems

Affected by ArnasDon WACRM prior to commit 73041bf. Any instance that has not applied the patch corresponding to that commit remains vulnerable. The issue applies to all deployments that expose the automation‑engine endpoint to authenticated users.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, while the lack of an EPSS score and absence from the CISA KEV catalog suggest no current known exploits but still a legitimate risk. Attack requires authentication and the knowledge of a contact UUID, but once satisfied, the attacker can make cross‑tenant modifications. The most likely attack vector is through a legitimate service‑role client that has been granted excessive privileges, leading to potential data tampering.

Generated by OpenCVE AI on June 8, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch commit 73041bf to WACRM, ensuring the code no longer accepts arbitrary contact_id without tenant verification.
  • Restrict the use of the service‑role client and enforce least‑privilege access for accounts that require it.
  • Implement tenant‑ownership checks or role‑based access control to enforce row‑level security on contact data.

Generated by OpenCVE AI on June 8, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.
Title WACRM Authorization Bypass via Automation Engine Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T19:13:16.960Z

Reserved: 2026-05-27T17:40:12.739Z

Link: CVE-2026-49141

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T20:17:01.997

Modified: 2026-06-08T20:17:01.997

Link: CVE-2026-49141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:30:06Z

Weaknesses