Webhook Signature Verification Flaw in PraisonAI Product by Mervin Praison
CVE-2026-61436
8.8HIGH
What is CVE-2026-61436?
PraisonAI versions prior to 4.6.78 exhibit a serious security weakness by failing to verify Svix webhook signatures in AgentMail webhook mode. This oversight allows malicious actors to forge message.received events, enabling them to send crafted JSON payloads to the webhook endpoint. As a result, attackers can invoke configured agents using arbitrary sender addresses and message content, potentially compromising the integrity of the application and its data.
Affected Version(s)
PraisonAI 0 < 4.6.78
PraisonAI 4.6.78
