Description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.
Published: 2026-04-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SMTP Header Manipulation Leading to Spoofing or Redirection
Action: Patch Immediately
AI Analysis

Impact

Authenticated Plunk API users can insert carriage return/line feed characters into fields such as from.name, subject, custom header keys/values, and attachment filenames when the system builds raw MIME messages. This unsanitized input permits the injection of arbitrary email headers, for example Bcc or Reply‑To, enabling silent forwarding of mail, redirection of replies, or spoofing of the sender. Such behavior enables covert communication or phishing attacks and undermines the authenticity and integrity of email traffic.

Affected Systems

Plunk, an open‑source email platform built on AWS SES, is affected in versions prior to 0.8.0 where the SESService module lacks input validation. Versions 0.8.0 and later incorporate schema‑level checks that reject CRLF characters in the affected fields.

Risk and Exploitability

The CVSS score of 8.5 classifies the flaw as high severity. Attackers must possess authenticated API credentials to exploit it; no public exploit or default vulnerability exists. EPSS data is not available and the issue is not listed in the CISA KEV catalogue. The principal threat stems from compromised or malicious internal users who have API access, making the risk significant for organizations that grant such privileges.

Generated by OpenCVE AI on April 6, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Plunk version 0.8.0 or later
  • Restrict API access to trusted and authenticated users only
  • Audit outgoing email logs for unexpected header injections

Generated by OpenCVE AI on April 6, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Useplunk
Useplunk plunk
Vendors & Products Useplunk
Useplunk plunk

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.
Title Plunk has a CRLF Email Header Injection in raw MIME message construction allows authenticated API user to inject arbitrary email headers
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Useplunk Plunk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:20:44.912Z

Reserved: 2026-03-31T19:38:31.616Z

Link: CVE-2026-34975

cve-icon Vulnrichment

Updated: 2026-04-07T14:20:05.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:11.210

Modified: 2026-04-22T19:58:53.770

Link: CVE-2026-34975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:31:42Z

Weaknesses