CVE-2026-54695
Undergoing Analysis Undergoing Analysis - In Progress

Remote Code Execution in Pipecat Framework

Vulnerability report for CVE-2026-54695, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Prior to 1.4.0, the pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication, reads an attacker-supplied callSid from a Twilio stream-start handshake in src/pipecat/runner/utils.py, and passes it to TwilioFrameSerializer so the server can issue an authenticated Twilio REST API hang-up request with the server operator's credentials; equivalent unauthenticated call-control sinks exist for Telnyx and Plivo. This issue is fixed in version 1.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pipecat-ai pipecat to 1.4.0 (exc)
pipecat-ai pipecat 1.4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-54695 vulnerability in the pipecat-ai/pipecat project involves an unauthenticated call-control abuse flaw in the Telephony WebSocket endpoint (`/ws`).

An attacker can connect to the unauthenticated `/ws` WebSocket endpoint, send a crafted Twilio handshake message containing a malicious `callSid`, and force the server to issue an authenticated Twilio REST API hang-up request against that call SID using the server operator's credentials.

This means the attacker can terminate active calls on the victim's Twilio account if they know or obtain a valid call SID. Similar vulnerabilities exist for Telnyx and Plivo integrations.

The root cause is that the server accepts WebSocket connections without authentication, extracts the `callSid` directly from attacker-controlled input, and uses it in API calls with the server's own credentials.

This issue affects pipecat versions up to 0.0.77 and versions before 1.4.0, and has been fixed in version 1.4.0.

Impact Analysis

This vulnerability can allow an attacker to forcibly terminate active calls on your telephony account by abusing the unauthenticated WebSocket endpoint.

It can lead to denial of service by disrupting legitimate call sessions.

Additionally, unauthorized call-control actions can be performed using your telephony provider credentials, potentially causing operational disruptions and misuse of your telephony resources.

The attack is feasible if the development runner's telephony `/ws` endpoint is exposed to untrusted networks and configured with Twilio, Telnyx, or Plivo credentials.

Detection Guidance

This vulnerability can be detected by checking if the pipecat development runner is exposing the /ws WebSocket endpoint without authentication. Monitoring network traffic for unauthenticated WebSocket connections to the /ws endpoint can indicate exposure.

You can use network inspection tools like tcpdump or Wireshark to capture WebSocket traffic on the relevant ports and look for connections to the /ws endpoint.

Additionally, you can use command-line tools such as curl or websocat to attempt connecting to the /ws WebSocket endpoint without authentication to test if it is accessible.

  • Use tcpdump to capture WebSocket traffic: tcpdump -i <interface> -A port <port_number> | grep '/ws'
  • Use websocat to test unauthenticated WebSocket connection: websocat ws://<server_address>/ws
  • Use curl to check HTTP upgrade requests (though limited for WebSocket): curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" ws://<server_address>/ws
Mitigation Strategies

The immediate mitigation step is to upgrade pipecat to version 1.4.0 or later, where the vulnerability is fixed by adding HMAC token authentication for WebSocket connections.

If upgrading immediately is not possible, restrict network access to the /ws WebSocket endpoint to trusted networks only, preventing unauthenticated external access.

Enable the WebSocket authentication feature by setting the environment variable PIPECAT_WEBSOCKET_AUTH=token or using the CLI flag --ws-auth token to require clients to authenticate with a short-lived HMAC token before establishing WebSocket connections.

Monitor WebSocket connections and reject any invalid, expired, or replayed tokens to prevent unauthorized call-control actions.

Compliance Impact

The provided context and resources do not explicitly discuss the impact of CVE-2026-54695 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart