CVE-2026-61436
Received Received - Intake

PraisonAI AgentMail Webhook Signature Bypass

Vulnerability report for CVE-2026-61436, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message content.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
praisonai agentmail to 4.6.78 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61436 is a vulnerability in PraisonAI versions before 4.6.78 where webhook signatures in AgentMail mode are not verified. This allows unauthenticated attackers to forge Svix webhook signatures and send crafted JSON payloads to trigger arbitrary message.received events. Attackers can then invoke configured agents with manipulated sender addresses and message content.

Impact Analysis

This vulnerability allows attackers to send unauthorized messages, impersonate users, or trigger agents with fake data. It could lead to unauthorized model or API usage, forged workflow inputs, data breaches, or integrity violations. Systems relying on AgentMail webhook mode are at risk of spoofed events and agent manipulation.

Compliance Impact

This vulnerability could lead to unauthorized data access or manipulation, violating confidentiality and integrity requirements in GDPR and HIPAA. Unauthorized agent invocations may result in improper data processing, breaching compliance with data protection and security standards.

Detection Guidance

To detect this vulnerability, check if PraisonAI is running versions before 4.6.78. Inspect webhook endpoints for Svix signature verification. Monitor for unauthorized agent invocations or unexpected message.received events in logs.

Mitigation Strategies

Upgrade PraisonAI to version 4.6.78 or later. Ensure webhook secret is configured and validated. Implement signature verification for Svix webhooks before processing events. Block unsigned or forged message.received events.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart