CVE-2026-4984
Twilio Webhook SSRF and Signature Bypass Leads to Account Compromise
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| botpress | twilio_integration_webhook_handler | * |
| twilio | twilio | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-4984 affects the Botpress Twilio integration webhook handler. The handler accepts any POST request without verifying the 'X-Twilio-Signature' header, which is supposed to confirm that the request comes from Twilio.
When processing media messages, the handler fetches URLs provided by users in the 'MediaUrlN' parameters. These HTTP requests include the integration's Twilio credentials (accountSID and authToken) in the 'Authorization' header using base64-encoded Basic Authentication.
An attacker can exploit this by forging a webhook payload that points to a server they control. When the webhook handler fetches the media URL from the attacker's server, it sends the Twilio credentials in plaintext (base64-encoded) in the Authorization header, allowing the attacker to fully compromise the victim's Twilio account.
How can this vulnerability impact me? :
This vulnerability can lead to a full compromise of your Twilio account. An attacker can remotely and without authentication obtain your Twilio account credentials (accountSID and authToken) in plaintext.
With these credentials, the attacker can access and control your Twilio account, potentially leading to unauthorized use of your services, exposure of sensitive information, and other malicious activities.
The impact is rated high for confidentiality, with limited impact on integrity and no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for POST requests to the Twilio integration webhook handler that do not validate the 'X-Twilio-Signature' header. Additionally, inspecting HTTP requests made by the webhook handler to user-controlled URLs (specified in 'MediaUrlN' parameters) that include the Twilio credentials in the 'Authorization' header can indicate exploitation attempts.
Commands to detect suspicious activity might include capturing and analyzing HTTP traffic to the webhook endpoint and outbound HTTP requests from the integration server. For example, using tcpdump or Wireshark to capture POST requests lacking the 'X-Twilio-Signature' header, or using curl or similar tools to simulate requests and observe responses.
- Use tcpdump to capture POST requests to the webhook endpoint: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep POST
- Check for missing 'X-Twilio-Signature' header in captured requests.
- Monitor outbound HTTP requests from the integration server for Authorization headers containing base64-encoded Twilio credentials.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing validation of the 'X-Twilio-Signature' header in the webhook handler to ensure that incoming POST requests are genuinely from Twilio.
Since no known patch or solution is currently available, it is critical to restrict access to the webhook endpoint, for example by using network-level controls such as IP whitelisting to allow only Twilio IP addresses.
Additionally, monitor and audit outgoing HTTP requests to user-controlled URLs to prevent leaking Twilio credentials.
Consider rotating Twilio credentials (accountSID and authToken) if compromise is suspected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows remote, unauthenticated attackers to disclose sensitive credentials, specifically the Twilio accountSID and authToken, in plaintext. Such a compromise of sensitive authentication data can lead to unauthorized access to user data and communications handled through the Twilio account.
The exposure of sensitive credentials and potential unauthorized access could result in violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive data confidentiality and integrity.
Therefore, organizations using the affected Botpress Twilio integration webhook handler may face compliance risks due to this vulnerability, as it undermines the security measures necessary to protect sensitive data in accordance with these standards.