← Back
2026-06-08 19:13CVE-2026-49141VulnCheck
PUBLISHED5.2CWE-639x_open-source

WACRM Authorization Bypass via Automation Engine Endpoint

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

Problem type

Affected products

ArnasDon

wacrm

< 73041bfa6420f5e1ecbfa1dd4fa847d8529320f5 - AFFECTED

References

github.com

https://github.com/ArnasDon/wacrm/pull/194

issue-tracking
github.com

https://github.com/ArnasDon/wacrm/commit/73041bfa6420f5e1ecbfa1dd4fa847d8529320f5

patch
vulncheck.com

https://www.vulncheck.com/advisories/wacrm-authorization-bypass-via-automation-engine-endpoint

third-party-advisory

GitHub Security Advisories

GHSA-x2w7-xr2g-qhjr

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation...

https://github.com/advisories/GHSA-x2w7-xr2g-qhjr

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-49141

github.com

https://github.com/ArnasDon/wacrm/pull/194

github.com

https://github.com/ArnasDon/wacrm/commit/73041bfa6420f5e1ecbfa1dd4fa847d8529320f5

vulncheck.com

https://www.vulncheck.com/advisories/wacrm-authorization-bypass-via-automation-engine-endpoint

github.com

https://github.com/advisories/GHSA-x2w7-xr2g-qhjr

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-49141
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-49141",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-06-08T19:13:16.960Z",
    "dateReserved": "2026-05-27T17:40:12.739Z",
    "datePublished": "2026-06-08T19:13:16.960Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-06-08T19:13:16.960Z"
      },
      "datePublic": "2026-06-08T00:00:00.000Z",
      "title": "WACRM Authorization Bypass via Automation Engine Endpoint",
      "descriptions": [
        {
          "lang": "en",
          "value": "WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID."
        }
      ],
      "affected": [
        {
          "vendor": "ArnasDon",
          "product": "wacrm",
          "repo": "https://github.com/ArnasDon/wacrm",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "git",
              "lessThan": "73041bfa6420f5e1ecbfa1dd4fa847d8529320f5"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Authorization Bypass Through User-Controlled Key",
              "cweId": "CWE-639",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/ArnasDon/wacrm/pull/194",
          "tags": [
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/ArnasDon/wacrm/commit/73041bfa6420f5e1ecbfa1dd4fa847d8529320f5",
          "tags": [
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/wacrm-authorization-bypass-via-automation-engine-endpoint",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "HIGH",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Midhun Mohanan",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "VulnCheck",
          "type": "finder"
        }
      ],
      "tags": [
        "x_open-source"
      ]
    }
  }
}