CVE-2026-27023 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source Customer Relationship Management (CRM) software 'twenty' by twentyhq. The vulnerability exists in versions prior to 1.18 within the SecureHttpClientService component, which is responsible for handling outbound HTTP requests. While the service performs validation on the initial request URLs to block access to private IP ranges, it does not validate the URLs of HTTP redirects. This oversight allows an authenticated attacker who can control outbound request URLs—such as webhook endpoints or image URLs—to bypass private IP blocking by crafting requests that redirect through an attacker-controlled server. This redirection effectively enables the attacker to probe or interact with internal network resources that should otherwise be inaccessible, potentially exposing sensitive internal services or data. The vulnerability requires the attacker to have authenticated access to the application but does not require additional user interaction. The flaw does not impact the integrity or availability of the system but can lead to limited confidentiality breaches by exposing internal network information. The issue was publicly disclosed on March 5, 2026, and has been addressed in version 1.18 of the software. The CVSS v3.1 base score is 5.0, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and a scope change due to the redirection mechanism. No known exploits are reported in the wild at this time.

The primary impact of this SSRF vulnerability is the potential exposure of internal network resources that are normally protected by private IP blocking. An authenticated attacker could leverage this flaw to access internal services, potentially gathering sensitive information or mapping internal network topology. While the vulnerability does not directly allow code execution, data modification, or denial of service, the confidentiality breach could facilitate further attacks or lateral movement within an organization's network. Organizations using the affected versions of the twenty CRM may face increased risk of internal reconnaissance by malicious insiders or compromised accounts. The medium severity reflects the moderate risk, given the need for authentication and the limited scope of impact. However, in environments where internal services are highly sensitive or where the CRM is integrated with critical infrastructure, the consequences could be more severe. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

To mitigate this vulnerability, organizations should upgrade the twenty CRM software to version 1.18 or later, where the SSRF protection has been enhanced to validate redirect targets properly. Until the upgrade can be applied, administrators should restrict authenticated user permissions to limit who can configure or control outbound request URLs such as webhook endpoints or image URLs. Network-level controls can be implemented to restrict outbound HTTP requests from the CRM server to only trusted destinations, minimizing the risk of SSRF exploitation. Monitoring and logging outbound requests and redirects can help detect suspicious activity indicative of SSRF attempts. Additionally, employing web application firewalls (WAFs) with SSRF detection rules may provide an additional layer of defense. Regular security reviews of user permissions and configurations related to outbound requests are recommended to reduce the attack surface. Finally, educating users about the risks of SSRF and maintaining up-to-date software versions are critical best practices.