CVE-2026-42193
Received Received - Intake
Unauthenticated SNS Webhook Spoofing in Plunk

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42193
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plunk plunk to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Plunk, an open-source email platform using AWS SES, in versions prior to 0.9.0. The /webhooks/sns endpoint accepts Amazon SNS notification payloads without verifying the SNS signature, certificate, or topic ARN. This means that anyone can send forged webhook requests that appear valid.

Because of this lack of verification, an unauthenticated attacker can spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits.

This issue was fixed in version 0.9.0 by adding proper verification of SNS requests.

Impact Analysis

The vulnerability allows an attacker to spoof SNS events, which can have several impacts:

  • Trigger unauthorized workflow automations.
  • Unsubscribe contacts without permission.
  • Manipulate email delivery metrics, potentially affecting reporting and decision-making.
  • Exhaust billing credits by triggering excessive or fraudulent usage.
Mitigation Strategies

To mitigate this vulnerability, upgrade Plunk to version 0.9.0 or later, where the /webhooks/sns endpoint properly verifies Amazon SNS notification payloads by checking the SNS signature, certificate, and topic ARN.

Compliance Impact

The vulnerability allows unauthenticated attackers to spoof SNS events, which can lead to manipulation of email delivery metrics, unauthorized workflow automation triggers, and unsubscribing contacts without consent.

Such unauthorized actions could potentially result in non-compliance with regulations like GDPR and HIPAA, which require protection of personal data and user consent for communications.

Specifically, the ability to unsubscribe contacts or manipulate email workflows without proper authentication may violate user consent requirements and data integrity principles mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42193. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart