Unauthenticated Access Vulnerability in Pipecat Open-Source Framework
CVE-2026-54695

7.5HIGH

Key Information:

Vendor

Pipecat-ai

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-54695?

The Pipecat framework, utilized for developing real-time voice and multimodal conversational agents, contains an unauthenticated access vulnerability in its prior versions. The development runner registers a WebSocket endpoint that permits connections without authentication, enabling attackers to exploit the system using a crafted callSid from a handshake initiated with Twilio. This flaw allows unauthorized command execution, which can lead to the misuse of sensitive API requests. The vulnerability has been addressed in version 1.4.0.

Affected Version(s)

pipecat < 1.4.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.