CVE-2026-46624

CRITICAL 9.9

Twenty: SQL Injection via the timeZone field

CVSS Score

9.9

EPSS Score

0.0%

EPSS Percentile

0th

Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.

CWE	CWE-78 CWE-89
Vendor	twentyhq
Product	twenty
Published	May 26, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for twentyhq twenty

Be the first to know when new critical vulnerabilities affecting twentyhq twenty are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

twentyhq / twenty

>= 1.7.7, <= 1.16.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/twentyhq/twenty/security/advisories/GHSA-jgx4-6mr9-9573