EUVD-2026-16632
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Description
The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.
Analysis
Unauthenticated credential theft in Botpress Twilio integration allows remote attackers to capture plaintext Twilio account credentials (accountSID and authToken) via forged webhook requests. The webhook handler fails to validate X-Twilio-Signature headers and can be tricked into making HTTP requests to attacker-controlled servers with embedded credentials in Authorization headers, enabling full Twilio account compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Botpress deployments with active Twilio integrations and temporarily disable the Twilio integration feature until remediation is available; review Twilio account access logs for unauthorized activity. Within 7 days: Rotate all Twilio accountSID and authToken credentials; implement network segmentation to restrict outbound HTTP requests from Botpress instances; document all credentials that may have been exposed. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today