CVE-2026-61428: PraisonAI: webhook signature bypass enables spoofing
HIGHPraisonAI's AgentMail integration accepts inbound webhook events without verifying their signature, so anyone who can reach the endpoint can POST a forged message.received payload with a spoofed sender address and have it treated as a legitimate inbound message. Because the flaw sits in the webhook trust boundary rather than the LLM itself, an attacker doesn't need any AI/ML expertise — CVSS 7.3, network access, low complexity, and no authentication or user interaction are enough to inject arbitrary content into the agent's context and bypass the sender allow/block list, which is the control most teams rely on to keep AgentMail agents from acting on untrusted input. There's no CISA KEV listing, no public exploit code, and EPSS data isn't available yet, so this looks pre-weaponized rather than actively exploited — but the low bar to exploit (a single unauthenticated POST) means that can change fast once the advisory circulates. The practical risk is the agent auto-replying to attacker-controlled addresses or acting on injected instructions as if they came from a trusted sender, opening the door to phishing, data leakage, or downstream automation abuse. Teams running PraisonAI AgentMail in webhook mode should upgrade to 4.6.78 or later immediately, and until then should front the webhook endpoint with HMAC or IP allowlisting at the network layer and audit recent message.received events for spoofed senders.
What is the risk?
High exploitability with limited-but-real impact. AV:N/AC:L/PR:N/UI:N means any unauthenticated network attacker who can reach the webhook URL can trigger the flaw with a single crafted request — no social engineering or prior access needed. Impact is capped at C:L/I:L/A:L (CVSS 7.3, high but not critical) because the vulnerability doesn't grant direct system compromise; it grants the ability to spoof trusted input into the agent's decision-making, which is a confidentiality/integrity issue at the application logic layer (CWE-290, authentication bypass by spoofing) rather than remote code execution. No CISA KEV entry, no EPSS score, and no known public exploit or Nuclei template currently exist, so there's no evidence of active or automated exploitation yet — but the attack requires no special tooling, which keeps the real-world exploitation bar low once the GitHub Security Advisory (GHSA-qj9c-59p6-8cgx) is more widely indexed by scanners.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | — | No patch |
Do you use PraisonAI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade PraisonAI / the AgentMail component to version 4.6.78 or later, which adds webhook signature verification. Until patched, avoid webhook mode for AgentMail where possible and prefer polling/OAuth-based inbound modes. As a compensating control, place the webhook endpoint behind a reverse proxy that enforces HMAC signature validation or restricts source IPs to the email provider's published webhook ranges. Audit logs for message.received events with sender addresses that don't match your provider's actual delivery infrastructure, and specifically look for replies sent to previously-unseen or non-allowlisted addresses. After patching, rotate any webhook shared secrets and re-verify the allow/block list is being enforced end-to-end.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-61428?
PraisonAI's AgentMail integration accepts inbound webhook events without verifying their signature, so anyone who can reach the endpoint can POST a forged message.received payload with a spoofed sender address and have it treated as a legitimate inbound message. Because the flaw sits in the webhook trust boundary rather than the LLM itself, an attacker doesn't need any AI/ML expertise — CVSS 7.3, network access, low complexity, and no authentication or user interaction are enough to inject arbitrary content into the agent's context and bypass the sender allow/block list, which is the control most teams rely on to keep AgentMail agents from acting on untrusted input. There's no CISA KEV listing, no public exploit code, and EPSS data isn't available yet, so this looks pre-weaponized rather than actively exploited — but the low bar to exploit (a single unauthenticated POST) means that can change fast once the advisory circulates. The practical risk is the agent auto-replying to attacker-controlled addresses or acting on injected instructions as if they came from a trusted sender, opening the door to phishing, data leakage, or downstream automation abuse. Teams running PraisonAI AgentMail in webhook mode should upgrade to 4.6.78 or later immediately, and until then should front the webhook endpoint with HMAC or IP allowlisting at the network layer and audit recent message.received events for spoofed senders.
Is CVE-2026-61428 actively exploited?
No confirmed active exploitation of CVE-2026-61428 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-61428?
Upgrade PraisonAI / the AgentMail component to version 4.6.78 or later, which adds webhook signature verification. Until patched, avoid webhook mode for AgentMail where possible and prefer polling/OAuth-based inbound modes. As a compensating control, place the webhook endpoint behind a reverse proxy that enforces HMAC signature validation or restricts source IPs to the email provider's published webhook ranges. Audit logs for message.received events with sender addresses that don't match your provider's actual delivery infrastructure, and specifically look for replies sent to previously-unseen or non-allowlisted addresses. After patching, rotate any webhook shared secrets and re-verify the allow/block list is being enforced end-to-end.
What systems are affected by CVE-2026-61428?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook-triggered agents, email/message automation pipelines.
What is the CVSS score for CVE-2026-61428?
CVE-2026-61428 has a CVSS v3.1 base score of 7.3 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0051.001 Indirect AML.T0080.001 Thread AML.T0093 Prompt Infiltration via Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and trigger replies to attacker-controlled addresses, bypassing sender allow/block lists.
Exploitation Scenario
An attacker fingerprints a target organization's AgentMail webhook endpoint (e.g., from exposed documentation, a leaked integration URL, or by probing common webhook paths). They craft a JSON payload mimicking a legitimate message.received event, spoofing the "from" field to match an internal executive or an address already on the target's sender allow list, and POST it directly to the webhook with no valid signature header. Because the server never checks for a signature, the payload is accepted as genuine, the spoofed sender sails past the allow/block list, and the agent processes the injected body as trusted input — for example replying with sensitive information, forwarding data, or sending a follow-up phishing link to an attacker-controlled address, all while appearing in logs as a normal inbound conversation.
Weaknesses (CWE)
CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L References
Timeline
Related Vulnerabilities
CVE-2026-61447 10.0 PraisonAI: RCE via unsandboxed LLM code execution
Same package: praisonai CVE-2026-61445 9.9 PraisonAI: AICoder root RCE via unsanitized tool calls
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai GHSA-vmmj-pfw7-fjwp 9.9 praisonai: sandbox escape gives RCE via codeMode tool
Same package: praisonai GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonai