Description
The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'.

When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header.

An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.
Published: 2026-03-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Twilio integration in Botpress accepts any POST request at its webhook handler without validating the X‑Twilio‑Signature header. It then follows user‑controlled media URLs, sending HTTP requests that include the integration’s Twilio credentials in the Authorization header. An attacker can forge a webhook payload that points to a malicious server, causing the victim’s Twilio account SID and Auth Token to be transmitted in cleartext (Base 64‑encoded Basic Auth). The result is full compromise of the Twilio account, allowing the attacker to send messages, access phone numbers, and perform any action permitted in Twilio.

Affected Systems

The vulnerability applies to installations that use the Botpress open‑source framework with the Twilio integration enabled. No specific version range is listed in the advisory, so any Botpress release containing the affected code must be reviewed and patched. Administrators should verify their Botpress version and apply updates as soon as they become available.

Risk and Exploitability

The CVSS base score is 8.2, indicating a high severity vulnerability. The EPSS score is 0.00044, indicating a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending a crafted POST request to the webhook endpoint from anywhere on the internet. Successful exploitation obtains the Twilio credentials, enabling complete control over the Twilio account and exposing the system to data loss, unauthorized communications, and potential financial loss.

Generated by OpenCVE AI on May 10, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Botpress patch or upgrade to a release that includes verification of the X‑Twilio‑Signature header.
  • If a patch is not yet available, temporarily disable the Twilio webhook integration or block inbound POST requests that lack a valid Twilio signature.
  • Ensure that outbound HTTP requests from the webhook no longer include the Twilio credentials in the Authorization header.
  • Monitor webhook logs for any unexpected POST requests and investigate anomalies.
  • Contact Botpress support if further assistance is required.

Generated by OpenCVE AI on May 10, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Sun, 10 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-345
CWE-352

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Botpress
Botpress botpress
Vendors & Products Botpress
Botpress botpress

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.
Title Botpress - Credential Disclosure via Twilio Webhook Handler
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Botpress Botpress
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-10T13:57:42.981Z

Reserved: 2026-03-27T12:42:10.936Z

Link: CVE-2026-4984

cve-icon Vulnrichment

Updated: 2026-03-27T14:39:34.501Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T15:17:03.953

Modified: 2026-05-10T14:16:51.070

Link: CVE-2026-4984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T17:30:16Z

Weaknesses