PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message content.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message content. | |
| Title | PraisonAI before 4.6.78 Missing Webhook Signature Verification | |
| First Time appeared |
Praison
Praison praisonai |
|
| Weaknesses | CWE-287 | |
| CPEs | cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Praison
Praison praisonai |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T12:39:30.217Z
Reserved: 2026-07-09T14:05:47.928Z
Link: CVE-2026-61436
Updated: 2026-07-15T12:39:11.031Z
No data.
No data.
OpenCVE Enrichment
No data.