CVE-2026-26720
Published: 02 March 2026
Description
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-26720 by requiring timely identification, reporting, and patching of the code injection flaw in Twenty CRM's local.driver.ts module.
Prevents arbitrary code execution by enforcing validation of untrusted inputs to the vulnerable local.driver.ts module susceptible to CWE-94 code injection.
Boundary protection controls network communications to block or detect remote unauthenticated exploitation payloads targeting the Twenty CRM vulnerability.
Security SummaryAI
CVE-2026-26720 is a critical code injection vulnerability (CWE-94) in Twenty CRM versions v1.15.0 and earlier, enabling remote arbitrary code execution via the local.driver.ts module. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2026-03-02T16:16:25.517 and affects the open-source CRM software hosted at twenty.com.
A remote attacker requires no authentication, privileges, or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows full arbitrary code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation details and further analysis are available in referenced resources, including a technical breakdown at https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/, a GitHub proof-of-concept repository at https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE, and the vendor site at https://twenty.com. Security practitioners should review these for patching guidance and exploit details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote arbitrary code execution in a public-facing CRM web application directly enables T1190: Exploit Public-Facing Application.