CVE-2026-46624 affects Twenty CRM versions 1.7.7 through 1.16.7 and involves a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack vector. The vulnerability stems from the timeZone field within the group_by query parameter being directly embedded into a raw SQL expression using JavaScript template literals without validation or escaping. This allows an authenticated user to inject SQL commands that, if the PostgreSQL user has superuser privileges, can lead to arbitrary OS command execution on the database server. The affected code is located in engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts. The CVSS v3.1 score is 9.9, indicating critical severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

Successful exploitation allows an authenticated user to execute arbitrary operating system commands on the database server hosting Twenty CRM, potentially leading to full system compromise. The impact includes complete loss of confidentiality, integrity, and availability of the affected system. This can result in data theft, data manipulation, service disruption, and further lateral movement within the environment.

No official patch or remediation is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict PostgreSQL user privileges to avoid superuser rights for the database user used by Twenty CRM. Additionally, avoid exposing the vulnerable API endpoint to untrusted users and consider implementing input validation or filtering on the timeZone parameter as a temporary mitigation.