CVE-2026-55583
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Twenty is an open-source CRM platform that was vulnerable to an insecure direct object reference (IDOR) in the AI agent monitor prior to version 2.9.0. As a result of this vulnerability, an authenticated user could access another user's full chat history on the same instance using the victim's agentId or turnId.
Risk Assessment
The organization may be exposed to data leaks, leading to privacy violations and potential legal consequences. Allowing unauthorized access to other users' data could harm the company's reputation.
Recommendation
It is recommended to upgrade to version 2.9.0 to eliminate this vulnerability. Additionally, conducting a security audit is advisable to ensure that other areas of the system are not exposed to similar threats.
Original NVD description (English source)
Twenty is an open-source CRM (customer relationship management) platform. Prior to 2.9.0, Twenty was vulnerable to a cross-workspace insecure direct object reference (IDOR) in the AI agent monitor's AgentTurnResolver, in packages/twenty-server/src/engine/metadata-modules/ai/ai-agent-monitor/reso lvers/agent-turn.resolver.ts. The agentTurns(agentId) query and the evaluateAgentTurn(turnId) mutation looked up rows by agentId or id only; although AgentTurnEntity has a workspaceId column, it was not included in the WHERE clause, and the class-level guards only checked that the caller was authenticated in some workspace rather than that the requested object belonged to it, with the same flaw present in agent-turn-grader.service.ts. As a result, any authenticated user with the AI settings flag, a workspace owner by default, could target any other workspace on the same instance given the victim's agentId or turnId: agentTurns returned the victim's full chat history including message parts such as raw chat text, tool calls, and tool outputs, while evaluateAgentTurn inserted an agentTurnEvaluation row with the victim's workspaceId and fed the victim's turn into the default LLM. The agentId and turnId are non-guessable UUIDs but are exposed in the URL of the settings page. This issue is fixed in version 2.9.0.

