CVE-2026-4984
Awaiting Analysis Awaiting Analysis - Queue
Twilio Webhook SSRF and Signature Bypass Leads to Account Compromise

Publication date: 2026-03-27

Last updated on: 2026-05-10

Assigner: Tenable Network Security, Inc.

Description
The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-05-10
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4984
EUVD
EUVD-2026-16632
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
botpress twilio_integration_webhook_handler *
twilio twilio *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-4984 affects the Botpress Twilio integration webhook handler. The handler accepts any POST request without verifying the 'X-Twilio-Signature' header, which is supposed to confirm that the request comes from Twilio.

When processing media messages, the handler fetches URLs provided by users in the 'MediaUrlN' parameters. These HTTP requests include the integration's Twilio credentials (accountSID and authToken) in the 'Authorization' header using base64-encoded Basic Authentication.

An attacker can exploit this by forging a webhook payload that points to a server they control. When the webhook handler fetches the media URL from the attacker's server, it sends the Twilio credentials in plaintext (base64-encoded) in the Authorization header, allowing the attacker to fully compromise the victim's Twilio account.

Impact Analysis

This vulnerability can lead to a full compromise of your Twilio account. An attacker can remotely and without authentication obtain your Twilio account credentials (accountSID and authToken) in plaintext.

With these credentials, the attacker can access and control your Twilio account, potentially leading to unauthorized use of your services, exposure of sensitive information, and other malicious activities.

The impact is rated high for confidentiality, with limited impact on integrity and no impact on availability.

Detection Guidance

This vulnerability can be detected by monitoring for POST requests to the Twilio integration webhook handler that do not validate the 'X-Twilio-Signature' header. Additionally, inspecting HTTP requests made by the webhook handler to user-controlled URLs (specified in 'MediaUrlN' parameters) that include the Twilio credentials in the 'Authorization' header can indicate exploitation attempts.

Commands to detect suspicious activity might include capturing and analyzing HTTP traffic to the webhook endpoint and outbound HTTP requests from the integration server. For example, using tcpdump or Wireshark to capture POST requests lacking the 'X-Twilio-Signature' header, or using curl or similar tools to simulate requests and observe responses.

  • Use tcpdump to capture POST requests to the webhook endpoint: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep POST
  • Check for missing 'X-Twilio-Signature' header in captured requests.
  • Monitor outbound HTTP requests from the integration server for Authorization headers containing base64-encoded Twilio credentials.
Compliance Impact

This vulnerability allows remote, unauthenticated attackers to disclose sensitive credentials, specifically the Twilio accountSID and authToken, in plaintext. Such a compromise of sensitive authentication data can lead to unauthorized access to user data and communications handled through the Twilio account.

The exposure of sensitive credentials and potential unauthorized access could result in violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive data confidentiality and integrity.

Therefore, organizations using the affected Botpress Twilio integration webhook handler may face compliance risks due to this vulnerability, as it undermines the security measures necessary to protect sensitive data in accordance with these standards.

Mitigation Strategies

Immediate mitigation steps include implementing validation of the 'X-Twilio-Signature' header in the webhook handler to ensure that incoming POST requests are genuinely from Twilio.

Since no known patch or solution is currently available, it is critical to restrict access to the webhook endpoint, for example by using network-level controls such as IP whitelisting to allow only Twilio IP addresses.

Additionally, monitor and audit outgoing HTTP requests to user-controlled URLs to prevent leaking Twilio credentials.

Consider rotating Twilio credentials (accountSID and authToken) if compromise is suspected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart