Unrated severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026
Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client
CVE-2026-27023
Description
Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/twentyhq/twenty/releases/tag/v1.18.0mitrex_refsource_MISC
- github.com/twentyhq/twenty/security/advisories/GHSA-wm7q-rvq3-x8q9mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.