Message Injection Vulnerability in PraisonAI AgentMail
CVE-2026-61428

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
11 July 2026

What is CVE-2026-61428?

PraisonAI AgentMail prior to version 4.6.78 is susceptible to a message injection vulnerability due to insufficient signature verification in webhook mode. This flaw enables unauthorized attackers to manipulate the webhook endpoint by sending specially crafted message.received events. As a result, attackers can inject arbitrary content, resulting in messages being sent from spoofed sender addresses. This presents a significant risk as it allows the circumvention of sender allow/block lists, potentially directing responses to attacker-controlled addresses.

Affected Version(s)

PraisonAI 0 < 4.6.78

PraisonAI 4.6.78

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dinhvaren
.