Unauthenticated Access Vulnerability in Pipecat Open-Source Framework
CVE-2026-54695
7.5HIGH
What is CVE-2026-54695?
The Pipecat framework, utilized for developing real-time voice and multimodal conversational agents, contains an unauthenticated access vulnerability in its prior versions. The development runner registers a WebSocket endpoint that permits connections without authentication, enabling attackers to exploit the system using a crafted callSid from a handshake initiated with Twilio. This flaw allows unauthorized command execution, which can lead to the misuse of sensitive API requests. The vulnerability has been addressed in version 1.4.0.
Affected Version(s)
pipecat < 1.4.0
