Executive Summary

CVE-2026-32096 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Plunk open-source email platform, specifically in the AWS SNS webhook handler prior to version 0.7.0.

The vulnerability occurs because the webhook handler does not properly validate the AWS SNS SubscriptionConfirmation POST requests to the /webhooks/sns endpoint.

An unauthenticated attacker can exploit this flaw by sending a crafted request that forces the server to make arbitrary outbound HTTP GET requests to any host accessible from the server.

This happens due to the server accepting a URL input without adequate verification, allowing SSRF attacks that can expose internal services or sensitive data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a critical impact by allowing an attacker to make the server perform arbitrary outbound HTTP requests to internal or external hosts accessible from the server.

Such SSRF attacks can lead to exposure of sensitive internal resources or data, compromising confidentiality.

The CVSS v3.1 score of 9.3 reflects a high confidentiality impact, low integrity impact, and no availability impact, indicating that the main risk is unauthorized data exposure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an unauthenticated attacker sending crafted requests to the /webhooks/sns endpoint that cause the server to make arbitrary outbound HTTP GET requests. Detection can focus on monitoring outbound HTTP requests originating from the server to unexpected or suspicious hosts, especially those not matching the expected AWS SNS hostname pattern.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by inspecting web server logs for unusual POST requests to /webhooks/sns with suspicious SubscribeURL values.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP GET requests from the server and filter for destinations outside of sns.<region>.amazonaws.com.'}, {'type': 'list_item', 'content': "Example tcpdump command to monitor outbound HTTP GET requests: sudo tcpdump -i eth0 'tcp dst port 80 or tcp dst port 443' and src host <server-ip>"}, {'type': 'list_item', 'content': "Check web server or application logs for POST requests to /webhooks/sns containing SubscribeURL fields that do not match the expected pattern. For example, use grep or jq on logs: grep '/webhooks/sns' /var/log/plunk/access.log | grep -v 'sns\\.[a-z0-9-]*\\.amazonaws\\.com'"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Plunk to version 0.7.0 or later, where the vulnerability has been fixed by validating the SubscribeURL in SNS subscription confirmation requests.

If upgrading immediately is not possible, consider implementing network-level restrictions to prevent the server from making arbitrary outbound HTTP requests to untrusted hosts.

• Apply strict validation on incoming SNS webhook requests to ensure SubscribeURL fields are present, use HTTPS, and match the pattern sns.<region>.amazonaws.com.
• Block outbound HTTP requests from the server to any hosts other than trusted AWS SNS endpoints.
• Monitor logs and network traffic for suspicious activity targeting the /webhooks/sns endpoint.

Useful 0 Not Useful 0