Skip to main content

Botpress CVE-2026-4984

| EUVDEUVD-2026-16632 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-03-27 tenable
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 14:30 euvd
EUVD-2026-16632
Analysis Generated
Mar 27, 2026 - 14:30 vuln.today
CVE Published
Mar 27, 2026 - 14:13 nvd
HIGH 8.2

DescriptionCVE.org

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'.

When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header.

An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.

AnalysisAI

Unauthenticated credential theft in Botpress Twilio integration allows remote attackers to capture plaintext Twilio account credentials (accountSID and authToken) via forged webhook requests. The webhook handler fails to validate X-Twilio-Signature headers and can be tricked into making HTTP requests to attacker-controlled servers with embedded credentials in Authorization headers, enabling full Twilio account compromise. CVSS score of 8.2 reflects high confidentiality impact with low attack complexity and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

Technical ContextAI

The vulnerability affects Botpress (cpe:2.3:a:botpress:botpress:*:*:*:*:*:*:*:*), an open-source conversational AI platform. The Twilio integration module processes incoming webhooks that should be authenticated using Twilio's standard X-Twilio-Signature HTTP header mechanism, which validates requests via HMAC-SHA1 signatures. The missing signature validation allows arbitrary POST requests to trigger the webhook handler. When processing MMS messages containing media, the handler fetches content from user-supplied MediaUrlN parameters using HTTP client code that incorrectly includes the integration's Twilio API credentials in outbound Authorization headers as base64-encoded Basic Authentication. This represents a credential leakage vulnerability where authentication tokens are transmitted to attacker-controlled endpoints during normal processing of webhook parameters.

RemediationAI

Consult the Tenable Security Research advisory at https://www.tenable.com/security/research/tra-2026-22 for vendor-released patch versions and upgrade immediately to any confirmed fixed release. No vendor-released patch version is independently confirmed from the available intelligence data. Until patching is completed, disable the Twilio integration webhook endpoint or implement reverse proxy authentication to restrict webhook POST requests exclusively to Twilio's published IP address ranges (available in Twilio's documentation). Rotate all exposed Twilio accountSID and authToken credentials immediately if the vulnerable webhook has been internet-accessible. Implement X-Twilio-Signature validation in any custom middleware as an additional defense layer. Monitor Twilio account activity logs for unauthorized API usage patterns indicating credential compromise.

Share

CVE-2026-4984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy