CVE-2026-49141: Authorization Bypass Through User-Controlled Key in ArnasDon wacrm
CVE-2026-49141 is an authorization bypass vulnerability in ArnasDon's wacrm automation engine prior to commit 73041bf. Authenticated attackers can supply an arbitrary contact_id in a POST request to access and modify contacts belonging to other tenants without tenant ownership verification. This bypasses row-level security via a service-role client, allowing modification of victim contact fields such as name, email, and company across tenant boundaries. The vulnerability has a CVSS 4. 0 base score of 5. 1, indicating medium severity. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild. The product is not a cloud service, so remediation depends on vendor patching. There is no information on affected versions or vendor advisories at this time.
AI Analysis
Technical Summary
The vulnerability in ArnasDon wacrm's automation engine allows authenticated users to bypass authorization controls by providing a user-controlled contact_id in POST requests. This flaw enables attackers to access and modify contact records belonging to other tenants without verifying tenant ownership. The issue arises because the service-role client bypasses row-level security, permitting cross-tenant data modification of contact attributes such as name, email, and company. The vulnerability is present in versions prior to commit 73041bf. The CVSS 4.0 score is 5.1, reflecting a medium severity impact. No patch or official remediation level has been disclosed, and no known exploits have been reported.
Potential Impact
An authenticated attacker can bypass tenant isolation controls and modify contact information across tenant boundaries. This can lead to unauthorized data manipulation of sensitive contact details including names, emails, and company information. The vulnerability compromises data integrity and tenant data segregation within the affected wacrm automation engine. There is no evidence of exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor vendor communications for updates. Until a patch is available, restrict authenticated user privileges where possible to limit exposure to this vulnerability.
CVE-2026-49141: Authorization Bypass Through User-Controlled Key in ArnasDon wacrm
Description
CVE-2026-49141 is an authorization bypass vulnerability in ArnasDon's wacrm automation engine prior to commit 73041bf. Authenticated attackers can supply an arbitrary contact_id in a POST request to access and modify contacts belonging to other tenants without tenant ownership verification. This bypasses row-level security via a service-role client, allowing modification of victim contact fields such as name, email, and company across tenant boundaries. The vulnerability has a CVSS 4. 0 base score of 5. 1, indicating medium severity. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild. The product is not a cloud service, so remediation depends on vendor patching. There is no information on affected versions or vendor advisories at this time.
CVSS v4.0
Score 5.1medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in ArnasDon wacrm's automation engine allows authenticated users to bypass authorization controls by providing a user-controlled contact_id in POST requests. This flaw enables attackers to access and modify contact records belonging to other tenants without verifying tenant ownership. The issue arises because the service-role client bypasses row-level security, permitting cross-tenant data modification of contact attributes such as name, email, and company. The vulnerability is present in versions prior to commit 73041bf. The CVSS 4.0 score is 5.1, reflecting a medium severity impact. No patch or official remediation level has been disclosed, and no known exploits have been reported.
Potential Impact
An authenticated attacker can bypass tenant isolation controls and modify contact information across tenant boundaries. This can lead to unauthorized data manipulation of sensitive contact details including names, emails, and company information. The vulnerability compromises data integrity and tenant data segregation within the affected wacrm automation engine. There is no evidence of exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor vendor communications for updates. Until a patch is available, restrict authenticated user privileges where possible to limit exposure to this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-27T17:40:12.739Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a271c95e29bf47b5081f5bd
Added to database: 6/8/2026, 7:48:37 PM
Last enriched: 6/8/2026, 7:53:04 PM
Last updated: 6/8/2026, 8:58:49 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.