Home

Description

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

PUBLISHED Reserved 2026-05-27 | Published 2026-06-08 | Updated 2026-06-09 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N

HIGH: 7.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
affected

Any version before 73041bfa6420f5e1ecbfa1dd4fa847d8529320f5
affected

Credits

Midhun Mohanan finder

VulnCheck finder

References

github.com/ArnasDon/wacrm/pull/194 issue-tracking

github.com/...ommit/73041bfa6420f5e1ecbfa1dd4fa847d8529320f5 patch

www.vulncheck.com/...n-bypass-via-automation-engine-endpoint third-party-advisory

cve.org (CVE-2026-49141)

nvd.nist.gov (CVE-2026-49141)

Download JSON