CVE-2026-42193
Published: 08 May 2026
Summary
CVE-2026-42193 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28832
Vulnerability details
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge…
more
a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing cryptographic signature verification on public /webhooks/sns endpoint directly enables unauthenticated exploitation of a public-facing application (T1190) to spoof events and trigger impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.
Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.