CVE-2026-42193: CWE-347: Improper Verification of Cryptographic Signature in useplunk plunk
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
AI Analysis
Technical Summary
Plunk versions before 0.9.0 contain an improper verification of cryptographic signatures (CWE-347) in the /webhooks/sns endpoint. This endpoint accepts Amazon SNS notification payloads without validating their authenticity, including signature, certificate, or topic ARN. Consequently, attackers can forge SNS webhook requests that appear valid, allowing them to manipulate the platform's email workflows and metrics. The vulnerability is fixed in version 0.9.0. Since plunk is a cloud-hosted service, the vendor is responsible for applying patches and managing remediation.
Potential Impact
An attacker can spoof SNS events without authentication, leading to unauthorized triggering of workflow automations, unsubscribing contacts, manipulation of email delivery metrics, and potential exhaustion of billing credits. This can disrupt email operations and cause financial impact due to billing credit exhaustion. There is no confirmed exploitation in the wild at this time.
Mitigation Recommendations
A patch is available and has been applied in plunk version 0.9.0. Since plunk is a cloud-hosted service, the vendor manages remediation and patch deployment. Users should verify they are running version 0.9.0 or later to ensure this vulnerability is mitigated. Check the vendor advisory for confirmation of patch deployment status.
CVE-2026-42193: CWE-347: Improper Verification of Cryptographic Signature in useplunk plunk
Description
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Plunk versions before 0.9.0 contain an improper verification of cryptographic signatures (CWE-347) in the /webhooks/sns endpoint. This endpoint accepts Amazon SNS notification payloads without validating their authenticity, including signature, certificate, or topic ARN. Consequently, attackers can forge SNS webhook requests that appear valid, allowing them to manipulate the platform's email workflows and metrics. The vulnerability is fixed in version 0.9.0. Since plunk is a cloud-hosted service, the vendor is responsible for applying patches and managing remediation.
Potential Impact
An attacker can spoof SNS events without authentication, leading to unauthorized triggering of workflow automations, unsubscribing contacts, manipulation of email delivery metrics, and potential exhaustion of billing credits. This can disrupt email operations and cause financial impact due to billing credit exhaustion. There is no confirmed exploitation in the wild at this time.
Mitigation Recommendations
A patch is available and has been applied in plunk version 0.9.0. Since plunk is a cloud-hosted service, the vendor manages remediation and patch deployment. Users should verify they are running version 0.9.0 or later to ensure this vulnerability is mitigated. Check the vendor advisory for confirmation of patch deployment status.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T01:53:21.584Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69fe575bcbff5d86102f6112
Added to database: 5/8/2026, 9:36:27 PM
Last enriched: 5/8/2026, 9:51:24 PM
Last updated: 5/9/2026, 1:59:22 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.