CVE-2026-27023 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source CRM software 'twenty' prior to version 1.18. The root cause lies in the SecureHttpClientService component, which performs validation on outbound request URLs to block access to private IP ranges, a common SSRF mitigation technique. However, this validation does not extend to redirect targets, meaning that if an attacker can control the initial request URL (such as webhook endpoints or image URLs), they can cause the server to follow redirects through an attacker-controlled server. This redirection bypasses the private IP blocking mechanism, allowing the attacker to induce the server to make requests to internal network resources that would otherwise be inaccessible. The vulnerability requires an authenticated user with the ability to specify outbound request URLs, but does not require additional user interaction. The impact is primarily on confidentiality, as it could allow attackers to gather information about internal network services or metadata. The vulnerability has been addressed in version 1.18 of 'twenty' by extending validation to redirect targets, closing the bypass vector. No known exploits are currently reported in the wild. The CVSS 3.1 base score is 5.0, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and limited confidentiality impact without integrity or availability effects.

The primary impact of CVE-2026-27023 is the potential exposure of internal network information due to SSRF exploitation. An authenticated attacker could leverage this vulnerability to bypass private IP restrictions and access internal services, potentially leading to reconnaissance that precedes more severe attacks such as lateral movement or data exfiltration. Although the vulnerability does not directly compromise data integrity or availability, the information gained could facilitate further exploitation. Organizations using affected versions of 'twenty' risk unauthorized internal network probing, which could expose sensitive infrastructure details or internal APIs. This is particularly concerning for enterprises with critical internal services behind firewalls that rely on SSRF protections to prevent external access. The requirement for authentication limits the attack surface to insiders or compromised user accounts, but the lack of user interaction and low attack complexity increase the risk of exploitation once credentials are obtained.

To mitigate CVE-2026-27023, organizations should immediately upgrade 'twenty' CRM to version 1.18 or later, where the SSRF redirect validation flaw is patched. Additionally, administrators should audit and restrict the ability of users to configure outbound request URLs, such as webhook endpoints and image URLs, limiting this capability to trusted users only. Implement network-level controls to restrict outbound HTTP requests from the application server to only necessary external endpoints, reducing the risk of SSRF exploitation. Employ strict allowlists for URLs and domains used in outbound requests and redirects. Monitor application logs for unusual outbound request patterns or redirects that could indicate exploitation attempts. Finally, consider deploying web application firewalls (WAFs) with SSRF detection capabilities to provide an additional layer of defense.