CVE-2026-33975

Name of the Vulnerable Software and Affected Versions Twenty versions prior to 1.18.1

Description An issue in the SecureHttpClientService of twenty-server allows the bypass of Server-Side Request Forgery (SSRF) protections. This occurs because the Node.js URL parser normalizes IPv4-mapped IPv6 addresses into a compressed hex form, while the isPrivateIp utility only recognizes dotted-decimal notation. Consequently, the hex form bypasses the SSRF check. Furthermore, the socket lookup validation event is not triggered for IP literal addresses, bypassing the second layer of validation. An authenticated user can exploit this to access internal IPs, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.

Recommendations Update to a version later than 1.18.0.