CVE-2026-27023

low-risk

Published 2026-03-05

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.0/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Twenty

Affected Vendors

Twenty

References (2)

Product https://github.com/twentyhq/twenty/releases/tag/v1.18.0

Mitigation https://github.com/twentyhq/twenty/security/advisories/GHSA-wm7q-rvq3-x8q9

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal