What is CVE-2026-26720?

CVE-2026-26720 is a critical remote code execution vulnerability affecting Twenty CRM versions up to 1.15.0. Organizations must address this security flaw immediately to mitigate serious risks.

What is the severity of CVE-2026-26720?

CVE-2026-26720 has a severity rating of CRITICAL with a CVSS base score of 9.8.

CVE-2026-26720 | Critical Vulnerability in Twenty CRM

CVE-2026-26720 is a critical remote code execution vulnerability affecting Twenty CRM versions up to 1.15.0. This vulnerability allows a remote attacker to execute arbitrary code via the local.driver.ts module. With a CVSS score of 9.8, it represents a significant threat to organizations using this software. The low attack complexity combined with the lack of required privileges and user interaction makes it easier for attackers to exploit.

The implications of this vulnerability are severe. A successful attack could lead to unauthorized access and control over the affected systems, allowing attackers to manipulate data, disrupt services, or deploy further exploits. Organizations should prioritize patching this vulnerability immediately to prevent potential breaches.

Currently, there are no known public exploits confirmed. However, the potential for exploitation is high, and organizations must remain vigilant. Given the critical nature of this vulnerability, immediate action is necessary to secure systems.

Organizations should evaluate their deployment of Twenty CRM and ensure they are on the latest patched version to mitigate this risk. The urgency to address this vulnerability cannot be overstated.

Vulnerability Details

This vulnerability allows a remote attacker to execute arbitrary code via the local.driver.ts module in Twenty CRM versions 1.15.0 and prior. It has a CVSS score of 9.8, indicating critical severity due to the potential impacts on confidentiality, integrity, and availability.

The vulnerability falls under CWE-94, which relates to code injection issues. Its exploitability is classified as critical, and it requires no privileges or user interaction, making it particularly dangerous.

Organizations using affected versions of Twenty CRM should take immediate steps to remediate the vulnerability.

Technical Analysis

The root cause of this vulnerability is a flaw in how the local.driver.ts module processes input. This flaw allows attackers to inject arbitrary code into the execution context of the application.

The attack vector is network-based, allowing remote attackers to exploit this vulnerability without physical access to the vulnerable system. The attack complexity is low, as this vulnerability can be exploited without the need for legitimate credentials or user interaction.

Given that the vulnerability has a high impact on confidentiality, integrity, and availability, organizations must be aware of the potential for data breaches and service disruptions.

Risk & Impact Analysis

Risk to organizations includes unauthorized access, potential data loss, and service interruptions. The critical nature of this vulnerability demands immediate attention from security teams. The potential blast radius is significant, affecting all instances of Twenty CRM running the vulnerable version.

Given the CVSS score of 9.8, organizations should prioritize patching this vulnerability immediately. It is essential to incorporate this update within the priority patch cycle to safeguard against potential exploitation.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected product is Twenty CRM, with all versions prior to the 1.15.0 vendor patch vulnerable to this issue.

Mitigation & Remediation

Organizations should immediately update Twenty CRM to version 1.15.1 or later to mitigate this vulnerability. If a patch is not available, implement network controls to restrict access to the application. Additionally, consider deploying web application firewalls to monitor and block suspicious traffic.

For further assistance, organizations can utilize our penetration testing services to validate their security posture.

Detection Guidance

Log analysis should focus on identifying unusual patterns of access or behavior that deviate from normal operations. Organizations should monitor for failed login attempts, unexpected code execution logs, and any anomalies in network traffic related to the Twenty CRM application.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-26720 lies in its demonstration of the risks associated with remote code execution vulnerabilities. This incident highlights the need for robust security measures and regular software updates to mitigate such risks.

Organizations should learn from this vulnerability to develop stronger security practices, including rigorous testing and validation of third-party libraries and components.

For further reading, consider exploring our articles on penetration testing methodology, vulnerability management programs, and cloud penetration testing to enhance your organization’s defense strategies.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-26720: Critical Vulnerability in Twenty CRM