{"data":{"id":"ac683442-8904-4927-955e-9ec14e2c6f3d","title":"CVE-2026-55583: Twenty is an open-source CRM (customer relationship management) platform. Prior to 2.9.0, Twenty was vulnerable to a cro","summary":"Twenty, an open-source CRM platform, had a vulnerability before version 2.9.0 where authenticated users could access other workspaces' AI agent data through IDOR (insecure direct object reference, a flaw where the system doesn't verify that requested data belongs to the user). Attackers with access to a workspace could view other users' chat histories, tool calls, and outputs by knowing their agent or turn IDs, which were visible in the settings page URL.","solution":"This issue is fixed in version 2.9.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-55583","publishedAt":"2026-06-24T20:16:33.100Z","cveId":"CVE-2026-55583","cweIds":["CWE-639"],"cvssScore":"7.6","cvssSeverity":"high","severity":"high","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Twenty"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-24T20:16:33.100Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0020","AML.T0051.001"]}}