CVE-2026-61428: PraisonAI: webhook signature bypass enables spoofing

HIGH
Published July 11, 2026
CISO Take

PraisonAI's AgentMail integration accepts inbound webhook events without verifying their signature, so anyone who can reach the endpoint can POST a forged message.received payload with a spoofed sender address and have it treated as a legitimate inbound message. Because the flaw sits in the webhook trust boundary rather than the LLM itself, an attacker doesn't need any AI/ML expertise — CVSS 7.3, network access, low complexity, and no authentication or user interaction are enough to inject arbitrary content into the agent's context and bypass the sender allow/block list, which is the control most teams rely on to keep AgentMail agents from acting on untrusted input. There's no CISA KEV listing, no public exploit code, and EPSS data isn't available yet, so this looks pre-weaponized rather than actively exploited — but the low bar to exploit (a single unauthenticated POST) means that can change fast once the advisory circulates. The practical risk is the agent auto-replying to attacker-controlled addresses or acting on injected instructions as if they came from a trusted sender, opening the door to phishing, data leakage, or downstream automation abuse. Teams running PraisonAI AgentMail in webhook mode should upgrade to 4.6.78 or later immediately, and until then should front the webhook endpoint with HMAC or IP allowlisting at the network layer and audit recent message.received events for spoofed senders.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

What is the risk?

High exploitability with limited-but-real impact. AV:N/AC:L/PR:N/UI:N means any unauthenticated network attacker who can reach the webhook URL can trigger the flaw with a single crafted request — no social engineering or prior access needed. Impact is capped at C:L/I:L/A:L (CVSS 7.3, high but not critical) because the vulnerability doesn't grant direct system compromise; it grants the ability to spoof trusted input into the agent's decision-making, which is a confidentiality/integrity issue at the application logic layer (CWE-290, authentication bypass by spoofing) rather than remote code execution. No CISA KEV entry, no EPSS score, and no known public exploit or Nuclei template currently exist, so there's no evidence of active or automated exploitation yet — but the attack requires no special tooling, which keeps the real-world exploitation bar low once the GitHub Security Advisory (GHSA-qj9c-59p6-8cgx) is more widely indexed by scanners.

How does the attack unfold?

Initial Access
Attacker POSTs a crafted message.received payload directly to the unauthenticated AgentMail webhook endpoint.
AML.T0049
Injection
The forged event, with a spoofed sender address, is accepted with no signature check and bypasses the sender allow/block list.
AML.T0051.001
Context Poisoning
The agent treats the spoofed content as a legitimate inbound message and incorporates it into its active context.
AML.T0080.001
Impact
The agent auto-replies or acts on the injected instructions, sending content to an attacker-controlled address and enabling phishing or data leakage.
AML.T0073

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip No patch
1 dependents 74% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1
7.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I Low
A Low

What should I do?

1 step
  1. Upgrade PraisonAI / the AgentMail component to version 4.6.78 or later, which adds webhook signature verification. Until patched, avoid webhook mode for AgentMail where possible and prefer polling/OAuth-based inbound modes. As a compensating control, place the webhook endpoint behind a reverse proxy that enforces HMAC signature validation or restricts source IPs to the email provider's published webhook ranges. Audit logs for message.received events with sender addresses that don't match your provider's actual delivery infrastructure, and specifically look for replies sent to previously-unseen or non-allowlisted addresses. After patching, rotate any webhook shared secrets and re-verify the allow/block list is being enforced end-to-end.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security controls
NIST AI RMF
MEASURE 2.7 - AI system security and resilience evaluation
OWASP LLM Top 10
LLM01 - Prompt Injection

Frequently Asked Questions

What is CVE-2026-61428?

PraisonAI's AgentMail integration accepts inbound webhook events without verifying their signature, so anyone who can reach the endpoint can POST a forged message.received payload with a spoofed sender address and have it treated as a legitimate inbound message. Because the flaw sits in the webhook trust boundary rather than the LLM itself, an attacker doesn't need any AI/ML expertise — CVSS 7.3, network access, low complexity, and no authentication or user interaction are enough to inject arbitrary content into the agent's context and bypass the sender allow/block list, which is the control most teams rely on to keep AgentMail agents from acting on untrusted input. There's no CISA KEV listing, no public exploit code, and EPSS data isn't available yet, so this looks pre-weaponized rather than actively exploited — but the low bar to exploit (a single unauthenticated POST) means that can change fast once the advisory circulates. The practical risk is the agent auto-replying to attacker-controlled addresses or acting on injected instructions as if they came from a trusted sender, opening the door to phishing, data leakage, or downstream automation abuse. Teams running PraisonAI AgentMail in webhook mode should upgrade to 4.6.78 or later immediately, and until then should front the webhook endpoint with HMAC or IP allowlisting at the network layer and audit recent message.received events for spoofed senders.

Is CVE-2026-61428 actively exploited?

No confirmed active exploitation of CVE-2026-61428 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-61428?

Upgrade PraisonAI / the AgentMail component to version 4.6.78 or later, which adds webhook signature verification. Until patched, avoid webhook mode for AgentMail where possible and prefer polling/OAuth-based inbound modes. As a compensating control, place the webhook endpoint behind a reverse proxy that enforces HMAC signature validation or restricts source IPs to the email provider's published webhook ranges. Audit logs for message.received events with sender addresses that don't match your provider's actual delivery infrastructure, and specifically look for replies sent to previously-unseen or non-allowlisted addresses. After patching, rotate any webhook shared secrets and re-verify the allow/block list is being enforced end-to-end.

What systems are affected by CVE-2026-61428?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook-triggered agents, email/message automation pipelines.

What is the CVSS score for CVE-2026-61428?

CVE-2026-61428 has a CVSS v3.1 base score of 7.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworkswebhook-triggered agentsemail/message automation pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0051.001 Indirect
AML.T0080.001 Thread
AML.T0093 Prompt Infiltration via Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM01

What are the technical details?

Original Advisory

PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and trigger replies to attacker-controlled addresses, bypassing sender allow/block lists.

Exploitation Scenario

An attacker fingerprints a target organization's AgentMail webhook endpoint (e.g., from exposed documentation, a leaked integration URL, or by probing common webhook paths). They craft a JSON payload mimicking a legitimate message.received event, spoofing the "from" field to match an internal executive or an address already on the target's sender allow list, and POST it directly to the webhook with no valid signature header. Because the server never checks for a signature, the payload is accepted as genuine, the spoofed sender sails past the allow/block list, and the agent processes the injected body as trusted input — for example replying with sensitive information, forwarding data, or sending a follow-up phishing link to an attacker-controlled address, all while appearing in logs as a normal inbound conversation.

Weaknesses (CWE)

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Timeline

Published
July 11, 2026
Last Modified
July 11, 2026
First Seen
July 11, 2026

Related Vulnerabilities