CVE-2026-49141EPSS p11.8%

CVE-2026-49141CVE-2026-49141

Description

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

Scoring

CVSS 7.1 ()
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N
EPSS0.22% probability of exploitation · percentile 11.8% · 2026-06-19T12:03:05Z
Last modified2026-06-09

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-47690
CVE
CVE-2026-2174
CVE
CVE-2026-48904
CVE
CVE-2026-29189
CVE
CVE-2026-38530
CVE
CVE-2026-38532
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.