What is CVE-2026-27023?

CVE-2026-27023 is a medium-severity vulnerability in Twentyhq Twenty, classified under Server-Side Request Forgery (SSRF). CVSS score: 5.0/10. Published 2026-03-05.

How severe is CVE-2026-27023?

Medium severity. CVSS v3 base score is 5.0 out of 10.

SSRF in Twentyhq Twenty

CVE-2026-27023

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.0 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N.

Affected products

Twentyhq Twenty — versions < 1.18

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/twentyhq/twenty/security/advisories/GHSA-wm7q-rvq3-x8q9 (x_refsource_CONFIRM)
https://github.com/twentyhq/twenty/releases/tag/v1.18.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-27023?: CVE-2026-27023 is a medium-severity vulnerability in Twentyhq Twenty, classified under Server-Side Request Forgery (SSRF). CVSS score: 5.0/10. Published 2026-03-05.
How severe is CVE-2026-27023?: Medium severity. CVSS v3 base score is 5.0 out of 10.