Midhun Mohanan

**Name of the Vulnerable Software and Affected Versions** WACRM versions prior to commit 73041bf **Description** An authorization bypass exists in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants. By providing an arbitrary `contact id` in the body of a 'POST' request, attackers can bypass tenant ownership verification. This is achieved by exploiting the service-role client, which bypasses row-level security (a security feature that restricts which rows of data a user can see or modify based on their identity), enabling the modification of victim contact fields such as name, email, and company across tenant boundaries using a known contact UUID. **Recommendations** Update WACRM to commit 73041bf or a later version.