Primary

Context

Plunk Webhook Forgery Vulnerability in Amazon SNS Integration

Vulnerability

A vulnerability exists in Plunk, an open-source email platform that utilizes AWS SES, in versions prior to 0.9.0. The issue arises in the /webhooks/sns endpoint, which processes Amazon SNS notification payloads from unauthenticated requests without proper verification of the SNS signature, certificate, or topic ARN. This lack of validation allows anyone to forge a webhook request that appears legitimate. As a result, an unauthenticated attacker could spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially deplete billing credits.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of workflow automations, contact subscriptions, email delivery metrics, and billing credits.

Remediation

Users can upgrade to Plunk version 0.9.0 or later, where this vulnerability has been patched.

Added: May 8, 2026, 10:26 PM

Updated: May 8, 2026, 10:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

7.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

7.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Plunk Webhook Forgery Vulnerability in Amazon SNS Integration

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating