Message Injection Vulnerability in PraisonAI AgentMail
CVE-2026-61428
6.9MEDIUM
What is CVE-2026-61428?
PraisonAI AgentMail prior to version 4.6.78 is susceptible to a message injection vulnerability due to insufficient signature verification in webhook mode. This flaw enables unauthorized attackers to manipulate the webhook endpoint by sending specially crafted message.received events. As a result, attackers can inject arbitrary content, resulting in messages being sent from spoofed sender addresses. This presents a significant risk as it allows the circumvention of sender allow/block lists, potentially directing responses to attacker-controlled addresses.
Affected Version(s)
PraisonAI 0 < 4.6.78
PraisonAI 4.6.78
