Webhook Signature Verification Flaw in PraisonAI Product by Mervin Praison
CVE-2026-61436

8.8HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61436?

PraisonAI versions prior to 4.6.78 exhibit a serious security weakness by failing to verify Svix webhook signatures in AgentMail webhook mode. This oversight allows malicious actors to forge message.received events, enabling them to send crafted JSON payloads to the webhook endpoint. As a result, attackers can invoke configured agents using arbitrary sender addresses and message content, potentially compromising the integrity of the application and its data.

Affected Version(s)

PraisonAI 0 < 4.6.78

PraisonAI 4.6.78

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rexpository
.