CVE-2026-32096 is a critical SSRF vulnerability identified in Plunk, an open-source email platform built on AWS Simple Email Service (SES). The vulnerability resides in the SNS webhook handler component of Plunk versions prior to 0.7.0. An unauthenticated attacker can send a specially crafted request to the webhook endpoint, causing the server to perform an arbitrary outbound HTTP GET request to any host accessible from the server’s network environment. This SSRF flaw allows attackers to potentially access internal services, metadata endpoints, or other sensitive resources that are not normally exposed externally. The vulnerability does not require authentication or user interaction, making it highly exploitable remotely. The CVSS v3.1 base score is 9.3, indicating critical severity with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N, meaning network attack vector, low complexity, no privileges or user interaction required, scope changed, high confidentiality impact, low integrity impact, and no availability impact. Although no known exploits are reported in the wild yet, the vulnerability’s nature and ease of exploitation make it a significant threat. The issue was resolved in Plunk version 0.7.0 by fixing the webhook handler to properly validate and restrict outbound requests. This vulnerability highlights the risks of SSRF in cloud-integrated applications, especially those handling inbound webhooks and interacting with internal or cloud metadata services.

The primary impact of this SSRF vulnerability is on confidentiality, as attackers can leverage it to access internal network resources, cloud metadata services (such as AWS EC2 instance metadata), or other sensitive endpoints not intended for public access. This can lead to leakage of sensitive information including credentials, configuration data, or internal APIs. Integrity impact is limited but possible if attackers use SSRF to interact with internal services that perform state changes. Availability is not directly affected by this vulnerability. Because the vulnerability requires no authentication and no user interaction, it can be exploited remotely by any attacker aware of the webhook endpoint. Organizations running affected versions of Plunk expose themselves to potential data breaches and reconnaissance by attackers. The scope of impact is broad due to the common use of AWS SES and open-source email platforms in various industries. This vulnerability could be leveraged as an initial access vector or for lateral movement within cloud environments.

1. Immediately upgrade Plunk to version 0.7.0 or later, where the SSRF vulnerability is fixed. 2. Implement strict network egress filtering on servers running Plunk to restrict outbound HTTP requests only to trusted destinations, minimizing the risk of SSRF exploitation. 3. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious webhook requests that attempt to trigger SSRF behavior. 4. Monitor logs for unusual outbound HTTP requests originating from the Plunk server, especially to internal IP ranges or cloud metadata endpoints. 5. If upgrading is not immediately possible, consider disabling or restricting the SNS webhook handler until a patch can be applied. 6. Conduct a security review of all webhook handlers and external-facing endpoints to ensure proper input validation and outbound request controls are in place. 7. Educate developers and administrators about SSRF risks in cloud environments and enforce secure coding practices to prevent similar vulnerabilities.