CVE-2026-15192
Received Received - Intake

Authentication Bypass in Mettle SendPortal APIv1 Webhooks

Vulnerability report for CVE-2026-15192, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mettle sendportal to 3.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15192 is a security vulnerability in the mettle sendportal software up to version 3.0.1. It affects the APIv1 Webhooks component, specifically the functions handling webhooks from email providers such as SendGrid, Postmark, Postal, and Mailjet.

The vulnerability arises because the webhook handlers do not verify the authenticity of incoming webhook events. This missing authentication allows unauthenticated attackers to forge webhook events by submitting fake bounce notifications using a valid message ID.

As a result, attackers can manipulate subscriber status by marking subscribers as unsubscribed without proper verification, which disrupts normal email campaign delivery.

Impact Analysis

This vulnerability can impact you by allowing attackers to remotely submit forged webhook events that falsely mark subscribers as unsubscribed.

Consequently, legitimate subscribers may be prevented from receiving future email campaigns, which can degrade communication effectiveness and harm marketing efforts.

Since the attack can be carried out remotely without authentication, it poses a significant risk to the integrity of subscriber management and email delivery.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious webhook events targeting the SendGrid, Postmark, Postal, or Mailjet webhook endpoints of the SendPortal APIv1 Webhooks component.

Specifically, detection involves checking for webhook requests that lack proper signature verification headers, such as SendGrid's X-Twilio-Email-Event-Webhook-Signature header, or other provider-specific authenticity mechanisms.

Commands to help detect such activity could include inspecting web server logs or using network monitoring tools to filter HTTP POST requests to the webhook endpoints and verify the presence or absence of expected signature headers.

  • Use grep or similar tools to search web server logs for POST requests to webhook URLs missing signature headers, e.g., `grep 'POST /api/v1/webhooks/sendgrid' /var/log/nginx/access.log | grep -v 'X-Twilio-Email-Event-Webhook-Signature'`
  • Use packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to webhook endpoints and analyze headers for missing authentication signatures.
Mitigation Strategies

The immediate mitigation step is to implement provider-specific webhook authenticity verification before processing any incoming webhook payloads.

This means validating signatures or other authenticity headers provided by email providers such as SendGrid's X-Twilio-Email-Event-Webhook-Signature header to ensure that webhook events are legitimate.

Until an official patch or update is released, you should consider blocking or filtering webhook requests that do not contain valid authentication signatures to prevent unauthorized state modifications.

Compliance Impact

The vulnerability allows unauthenticated attackers to forge webhook events, leading to unauthorized modification of subscriber states, such as marking subscribers as unsubscribed.

This unauthorized state modification could impact compliance with regulations like GDPR and HIPAA, which require proper protection of personal data and user consent management.

Specifically, the ability to manipulate subscription status without verification may violate requirements for data integrity and user consent under these standards.

However, the provided information does not explicitly detail compliance impacts or regulatory assessments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart