CVE-2026-26720
Published: 02 March 2026
Summary
CVE-2026-26720 is a critical-severity Code Injection (CWE-94) vulnerability in Twenty Twenty. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26720 is a critical code injection vulnerability (CWE-94) in Twenty CRM versions v1.15.0 and earlier, enabling remote arbitrary code execution via the local.driver.ts module. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2026-03-02T16:16:25.517 and affects the open-source CRM software hosted at twenty.com.
A remote attacker requires no authentication, privileges, or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows full arbitrary code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation details and further analysis are available in referenced resources, including a technical breakdown at https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/, a GitHub proof-of-concept repository at https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE, and the vendor site at https://twenty.com. Security practitioners should review these for patching guidance and exploit details.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9194
Vulnerability details
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote arbitrary code execution in a public-facing CRM web application directly enables T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-26720 by requiring timely identification, reporting, and patching of the code injection flaw in Twenty CRM's local.driver.ts module.
Prevents arbitrary code execution by enforcing validation of untrusted inputs to the vulnerable local.driver.ts module susceptible to CWE-94 code injection.
Boundary protection controls network communications to block or detect remote unauthenticated exploitation payloads targeting the Twenty CRM vulnerability.