CVE-2026-49141
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
WACRM prior to commit 73041bf contains an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification.
Risk Assessment
Attackers can exploit this vulnerability to modify victim contact fields including name, email, and company, which may lead to serious privacy and data security breaches within the organization.
Recommendation
It is recommended to update WACRM to a version containing the fix after commit 73041bf and to implement additional tenant ownership verification mechanisms to secure data access.
Original NVD description (English source)
WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

