Description
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
Published: 2026-05-08
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plunk’s /webhooks/sns endpoint accepted Amazon SNS payloads without validating the SNS signature, certificate, or topic ARN. This omission let an attacker forge a webhook that appears legitimate and trigger any configured workflow automation, unsubscribe contacts, alter email delivery metrics, or consume billing credits. The weakness corresponds to CWE‑347 and can severely compromise data integrity and cost control.

Affected Systems

The vulnerability affects Plunk deployments built on the useplunk:plunk product running any version prior to 0.9.0. Administrators should confirm the running version and upgrade if necessary.

Risk and Exploitability

With a CVSS score of 9.1 the vulnerability is considered critical. It is not listed in KEV and no EPSS value is available, but the lack of authentication means any malicious actor can send crafted POST requests directly to the endpoint. Successful exploitation would result in unauthorized workflow execution and potentially large financial impact through excess usage.

Generated by OpenCVE AI on May 8, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Plunk to version 0.9.0 or later to enforce SNS signature validation.
  • Restrict access to the /webhooks/sns endpoint to known IP ranges or through a protected network until verification is fully enabled.
  • Enable detailed logging and alerting on the /webhooks/sns endpoint to detect and investigate suspicious incoming requests.

Generated by OpenCVE AI on May 8, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Useplunk
Useplunk plunk
Vendors & Products Useplunk
Useplunk plunk

Fri, 08 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
Title Plunk: SNS webhook forgery
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Useplunk Plunk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:12:26.450Z

Reserved: 2026-04-25T01:53:21.584Z

Link: CVE-2026-42193

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:31.273

Modified: 2026-05-08T22:16:31.273

Link: CVE-2026-42193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:00:15Z

Weaknesses