CVE-2026-49141

HIGH 7.1

WACRM Authorization Bypass via Automation Engine Endpoint

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

CWE	CWE-639
Vendor	arnasdon
Product	wacrm
Published	Jun 8, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for arnasdon wacrm

Be the first to know when new high vulnerabilities affecting arnasdon wacrm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

Affected Versions

ArnasDon / wacrm

0 < 73041bfa6420f5e1ecbfa1dd4fa847d8529320f5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ArnasDon/wacrm/pull/194 github.com: https://github.com/ArnasDon/wacrm/commit/73041bfa6420f5e1ecbfa1dd4fa847d8529320f5 vulncheck.com: https://www.vulncheck.com/advisories/wacrm-authorization-bypass-via-automation-engine-endpoint

Credits

Midhun Mohanan VulnCheck