Description
Twenty is an open-source CRM (customer relationship management) platform. Prior to 2.9.0, Twenty was vulnerable to a cross-workspace insecure direct object reference (IDOR) in the AI agent monitor's AgentTurnResolver, in packages/twenty-server/src/engine/metadata-modules/ai/ai-agent-monitor/reso lvers/agent-turn.resolver.ts. The agentTurns(agentId) query and the evaluateAgentTurn(turnId) mutation looked up rows by agentId or id only; although AgentTurnEntity has a workspaceId column, it was not included in the WHERE clause, and the class-level guards only checked that the caller was authenticated in some workspace rather than that the requested object belonged to it, with the same flaw present in agent-turn-grader.service.ts. As a result, any authenticated user with the AI settings flag, a workspace owner by default, could target any other workspace on the same instance given the victim's agentId or turnId: agentTurns returned the victim's full chat history including message parts such as raw chat text, tool calls, and tool outputs, while evaluateAgentTurn inserted an agentTurnEvaluation row with the victim's workspaceId and fed the victim's turn into the default LLM. The agentId and turnId are non-guessable UUIDs but are exposed in the URL of the settings page. This issue is fixed in version 2.9.0.
Published: 2026-06-24
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Twenty, an open‑source CRM platform, contained a cross‑workspace Insecure Direct Object Reference (CWE‑639) in the AI agent monitor’s AgentTurnResolver. The agentTurns query and evaluateAgentTurn mutation retrieved agent turns only by agentId or turnId, ignoring the workspaceId column. Thus, any authenticated user with the AI settings flag—normally reserved for workspace owners—could request another workspace’s agent turns. The payload included full chat history, message parts, and tool outputs, and the evaluateAgentTurn mutation inserted an evaluation row that fed the victim’s turn to the default LLM, potentially exposing sensitive content. The flaw is present in the associated grader service as well.

Affected Systems

The affected product is Twenty, the open‑source CRM from TwentyHQ. Versions prior to 2.9.0 are impacted. Users running 2.8.x or lower need to upgrade to avoid the IDOR vulnerability.

Risk and Exploitability

The CVSS score is 7.6, indicating a moderate‑to‑high severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated user possessing the AI settings capability; such a user can simply query the agentTurns endpoint or call evaluateAgentTurn with a known UUID to access another workspace’s data or trigger LLM evaluation on that workspace’s content. The vulnerability can be exploited without external network intervention, but requires legitimate application access and the AI flag. Because the flaw can lead to full data disclosure for an attacker, it represents a significant risk to confidentiality for all workspaces on the instance.

Generated by OpenCVE AI on June 24, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Twenty application to version 2.9.0 or newer, which removes the missing workspace check.
  • Restrict the AI settings flag so that only administrators or explicitly trusted users can activate it.
  • If an upgrade cannot be performed immediately, revoke the AI settings flag from all users to prevent exploitation until the patch is applied.
  • Monitor application logs for agentTurns and evaluateAgentTurn calls from non‑admin users as a supplemental detection measure.

Generated by OpenCVE AI on June 24, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Twenty is an open-source CRM (customer relationship management) platform. Prior to 2.9.0, Twenty was vulnerable to a cross-workspace insecure direct object reference (IDOR) in the AI agent monitor's AgentTurnResolver, in packages/twenty-server/src/engine/metadata-modules/ai/ai-agent-monitor/reso lvers/agent-turn.resolver.ts. The agentTurns(agentId) query and the evaluateAgentTurn(turnId) mutation looked up rows by agentId or id only; although AgentTurnEntity has a workspaceId column, it was not included in the WHERE clause, and the class-level guards only checked that the caller was authenticated in some workspace rather than that the requested object belonged to it, with the same flaw present in agent-turn-grader.service.ts. As a result, any authenticated user with the AI settings flag, a workspace owner by default, could target any other workspace on the same instance given the victim's agentId or turnId: agentTurns returned the victim's full chat history including message parts such as raw chat text, tool calls, and tool outputs, while evaluateAgentTurn inserted an agentTurnEvaluation row with the victim's workspaceId and fed the victim's turn into the default LLM. The agentId and turnId are non-guessable UUIDs but are exposed in the URL of the settings page. This issue is fixed in version 2.9.0.
Title Twenty: Cross-workspace IDOR in AgentTurnResolver
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:21:35.557Z

Reserved: 2026-06-16T23:18:03.169Z

Link: CVE-2026-55583

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:00:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key