CVE-2026-27023 MEDIUM

CVE-2026-27023: Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client

Vendor Twentyhq
Product twenty
Weakness CWE-918 · SSRF
Published March 5, 2026
Last update March 6, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 6, 2026 Record updated