CVE Catalog

CVE-2026-49141

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

7th percentile - higher than 7% of all known CVEs

Summary

WACRM prior to commit 73041bf contains an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification.

Risk Assessment

Attackers can exploit this vulnerability to modify victim contact fields including name, email, and company, which may lead to serious privacy and data security breaches within the organization.

Recommendation

It is recommended to update WACRM to a version containing the fix after commit 73041bf and to implement additional tenant ownership verification mechanisms to secure data access.

Original NVD description (English source)

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS