CVE-2026-34975
Published: 06 April 2026
Summary
CVE-2026-34975 is a high-severity CRLF Injection (CWE-93) vulnerability in Useplunk Plunk. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1672); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires implementation of input validation at API endpoints to reject \r or \n characters in user-supplied from.name, subject, custom headers, and attachment filenames, directly preventing CRLF injection into raw MIME messages.
Mandates identification, reporting, and correction of flaws like the CRLF injection vulnerability through patching to version 0.8.0 with schema-level validation.
Provides output filtering of constructed MIME messages prior to transmission via AWS SES to block or remove injected arbitrary headers such as Bcc or Reply-To.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CRLF injection enables arbitrary email header manipulation (Bcc, Reply-To, From) directly facilitating sender spoofing per T1672.
NVD Description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into…
more
raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.
Deeper analysisAI
CVE-2026-34975 is a CRLF header injection vulnerability (CWE-93) in Plunk, an open-source email platform built on top of AWS SES, affecting versions prior to 0.8.0. The flaw exists in the SESService.ts component, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames are interpolated directly into raw MIME messages without sanitization, allowing the injection of carriage return/line feed (\r\n) characters.
An authenticated API user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the injection of arbitrary email headers, such as Bcc or Reply-To, facilitating silent email forwarding, reply redirection, or sender spoofing. The issue has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), reflecting high confidentiality impact due to scope change.
The vulnerability is addressed in Plunk version 0.8.0, which implements input validation at the schema level to reject \r or \n characters in the affected fields, consistent with prior validation applied to the contentId field. Additional details are available in the GitHub security advisory at https://github.com/useplunk/plunk/security/advisories/GHSA-2mvm-rg5v-7hfq.
Details
- CWE(s)