CVE-2026-34975
CRLF Injection in Plunk Email Headers Enables Spoofing
Publication date: 2026-04-06
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| useplunk | plunk | to 0.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34975 is a high-severity CRLF (Carriage Return Line Feed) email header injection vulnerability found in the Plunk open-source email platform, specifically in the SESService.ts component before version 0.8.0.
The vulnerability occurs because user-supplied inputs such as from.name, subject, custom email header keys/values, and attachment filenames are directly inserted into raw MIME email messages without proper sanitization.
An authenticated API user can exploit this by embedding CRLF characters (\r or \n) in these fields to inject arbitrary email headers like Bcc or Reply-To.
This allows actions such as silent email forwarding, reply redirection, or sender spoofing.
The issue was fixed in version 0.8.0 by adding schema-level input validation to reject any fields containing CRLF characters.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized email manipulation.
- Silent email forwarding, where emails are forwarded without the sender or recipient's knowledge.
- Reply redirection, causing replies to be sent to unintended recipients.
- Sender spoofing, allowing attackers to impersonate legitimate senders.
These impacts can lead to unauthorized data disclosure and compromise confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection of CRLF characters into email header fields such as from.name, subject, custom header keys/values, and attachment filenames. Detection involves inspecting email headers for unexpected or suspicious carriage return and line feed characters (\r or \n) that could indicate header injection.
You can monitor outgoing emails generated by the Plunk platform for unusual headers like unexpected Bcc or Reply-To fields that were not set by legitimate users.
To detect potential exploitation, you might use commands or scripts to search logs or email content for CRLF sequences in header fields. For example, using grep on email logs or raw email files:
- grep -P '\r|\n' /path/to/email/logs
- grep -E '^(From|Subject|Bcc|Reply-To):.*(\r|\n)' /path/to/email/files
Additionally, reviewing API request logs for user-supplied input fields containing CR or LF characters can help identify attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Plunk to version 0.8.0 or later, where the vulnerability is fixed by adding schema-level input validation that rejects any fields containing carriage return (\r) or line feed (\n) characters.
Until the upgrade can be applied, you should:
- Restrict API user privileges to minimize the risk of an authenticated user exploiting this vulnerability.
- Implement input validation or sanitization on the client side or at a proxy level to reject or escape CRLF characters in email header fields.
- Monitor outgoing emails and API logs for suspicious header injections or unexpected email headers.
These steps help reduce the risk of exploitation until the official fix is deployed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CRLF email header injection vulnerability in Plunk allows an authenticated API user to inject arbitrary email headers, enabling silent email forwarding, reply redirection, or sender spoofing.
Such unauthorized email manipulation can lead to unauthorized disclosure of sensitive information, which may violate data protection requirements under regulations like GDPR and HIPAA.
Because the vulnerability impacts confidentiality by allowing unauthorized data access, it poses a risk to compliance with standards that mandate protection of personal and sensitive data.
The fix implemented in version 0.8.0 mitigates this risk by adding input validation to prevent injection of malicious headers, thereby helping maintain compliance with these regulations.