Skip to main content

Botpress

1 CVEs product

Monthly

CVE-2026-4984 HIGH This Week

Unauthenticated credential theft in Botpress Twilio integration allows remote attackers to capture plaintext Twilio account credentials (accountSID and authToken) via forged webhook requests. The webhook handler fails to validate X-Twilio-Signature headers and can be tricked into making HTTP requests to attacker-controlled servers with embedded credentials in Authorization headers, enabling full Twilio account compromise. CVSS score of 8.2 reflects high confidentiality impact with low attack complexity and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

Information Disclosure Botpress
NVD
CVSS 3.1
8.2
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH This Week

Unauthenticated credential theft in Botpress Twilio integration allows remote attackers to capture plaintext Twilio account credentials (accountSID and authToken) via forged webhook requests. The webhook handler fails to validate X-Twilio-Signature headers and can be tricked into making HTTP requests to attacker-controlled servers with embedded credentials in Authorization headers, enabling full Twilio account compromise. CVSS score of 8.2 reflects high confidentiality impact with low attack complexity and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

Information Disclosure Botpress
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy