What happened
Prior to version 2.9.0, Twenty (an open-source CRM) contained an insecure direct object reference (IDOR) in its AI agent monitor's AgentTurnResolver. The agentTurns(agentId) query and evaluateAgentTurn(turnId) mutation looked up rows by agentId or turnId only, without enforcing workspaceId in the WHERE clause. Class-level guards only verified that the caller was authenticated in *some* workspace, not necessarily the one owning the requested object. Any authenticated workspace owner who knew (or guessed from a URL) a victim's agentId or turnId could read the victim's full AI chat history including message parts, tool calls, and tool outputs, and could trigger re-evaluation of the victim's turn against the default LLM.
Why it matters
AI agent deployments typically process sensitive enterprise data — internal queries, tool call parameters, API responses. This flaw let any authenticated user on the same Twenty instance silently access another workspace's entire AI interaction history, including tool invocation details that may contain credentials or confidential business data. The turnId and agentId are exposed in the settings page URL, making enumeration straightforward.
Attack vector
Authenticated attacker in any workspace sends agentTurns or evaluateAgentTurn GraphQL queries using a victim workspace's agentId or turnId obtained from the settings page URL
Affected systems
Twenty CRM (open-source) prior to version 2.9.0
Mitigation
Upgrade to Twenty CRM v2.9.0. Advisory: https://www.tenable.com/cve/CVE-2026-55583