CVE-2026-26720 Overview
A critical remote code execution (RCE) vulnerability exists in Twenty CRM version 1.15.0 and earlier. The vulnerability resides in the local.driver.ts module, allowing unauthenticated remote attackers to execute arbitrary code on affected systems. Twenty CRM is an open-source CRM platform, and this vulnerability poses a significant risk to organizations running self-hosted instances.
Critical Impact
Remote attackers can achieve complete system compromise through arbitrary code execution without requiring authentication, potentially leading to full control of the CRM server, data exfiltration, and lateral movement within the network.
Affected Products
- Twenty CRM v1.15.0 and earlier versions
- Self-hosted Twenty CRM deployments
- Twenty Twenty (all versions prior to security patch)
Discovery Timeline
- 2026-03-02 - CVE-2026-26720 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-26720
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The flaw exists within the local.driver.ts module of Twenty CRM, which handles local storage operations. The vulnerability allows attackers to inject and execute arbitrary code through the network without requiring any authentication or user interaction.
The code injection vulnerability enables attackers to craft malicious requests that bypass input validation mechanisms in the local.driver.ts module. Once the malicious payload reaches the vulnerable code path, it is processed and executed within the context of the Twenty CRM application, granting the attacker the same privileges as the application process.
For detailed technical analysis, refer to the Dillon Kirsch RCE Analysis.
Root Cause
The root cause of this vulnerability is improper input validation and sanitization within the local.driver.ts module. The module fails to adequately validate or sanitize user-supplied input before processing it, allowing attackers to inject malicious code that is subsequently executed by the application. This is a classic code injection pattern where untrusted data is interpreted as executable code.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can remotely send specially crafted requests to the vulnerable Twenty CRM instance targeting the local.driver.ts module. The attack has low complexity, meaning it can be executed without specialized conditions or prerequisites beyond network access to the target system.
A proof-of-concept demonstrating this attack is available at the GitHub PoC repository for CVE-2026-26720.
Detection Methods for CVE-2026-26720
Indicators of Compromise
- Unusual outbound network connections from the Twenty CRM server to unknown external hosts
- Unexpected processes spawned by the Twenty CRM application or Node.js runtime
- Anomalous file system modifications in Twenty CRM installation directories
- Suspicious HTTP requests targeting the local.driver.ts module endpoints
- Unexpected system resource utilization patterns on the CRM server
Detection Strategies
- Monitor HTTP request logs for unusual payloads targeting storage-related API endpoints
- Implement application-layer firewalls to inspect and filter requests containing code injection patterns
- Deploy endpoint detection and response (EDR) solutions to identify post-exploitation behaviors
- Analyze process execution chains to detect anomalous child processes from the Twenty CRM application
Monitoring Recommendations
- Enable verbose logging for the Twenty CRM application and review logs regularly
- Set up alerts for any attempts to access or modify the local.driver.ts module
- Monitor network traffic for data exfiltration attempts from the CRM server
- Implement file integrity monitoring on critical Twenty CRM application files
How to Mitigate CVE-2026-26720
Immediate Actions Required
- Upgrade Twenty CRM to the latest patched version immediately
- If patching is not immediately possible, restrict network access to the Twenty CRM instance
- Place the Twenty CRM server behind a web application firewall (WAF) with code injection rules enabled
- Conduct a security audit to identify any signs of compromise on affected systems
- Review access logs to determine if exploitation attempts have occurred
Patch Information
Organizations should check the Twenty CRM official website and official release channels for security patches addressing this vulnerability. Apply all available security updates as soon as possible. For detailed patch information and remediation guidance, refer to the security analysis by Dillon Kirsch.
Workarounds
- Restrict network access to the Twenty CRM instance to trusted IP addresses only
- Implement network segmentation to isolate the CRM server from critical infrastructure
- Disable or restrict access to the local.driver.ts module functionality if not required
- Deploy a reverse proxy with strict input validation rules in front of the application
- Consider temporarily taking affected instances offline until patches can be applied
# Example: Restrict access to Twenty CRM via iptables
# Allow access only from trusted management IP
iptables -A INPUT -p tcp --dport 3000 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
# Example: Nginx reverse proxy configuration to block suspicious requests
# Add to location block for Twenty CRM
location / {
# Block requests with common code injection patterns
if ($request_body ~* "(eval|exec|spawn|child_process)") {
return 403;
}
proxy_pass http://localhost:3000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
