Cyber Resilience

CVE-2026-4984

High

Published: 27 March 2026

Published
27 March 2026
Modified
10 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0016 5.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4984 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4984 affects the Twilio integration webhook handler, which accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, the handler fetches user-controlled URLs specified in 'MediaUrlN' parameters via HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. Published on 2026-03-27, this flaw has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

An unauthenticated attacker (PR:N) can exploit this remotely over the network (AV:N) with low complexity (AC:L) by forging a webhook payload that points 'MediaUrlN' to a server they control. Upon processing, the handler sends an HTTP request to the attacker's server, exposing the victim's Twilio 'accountSID' and 'authToken' in plaintext within a base64-encoded Basic Auth 'Authorization' header, enabling full compromise of the Twilio account.

The Tenable advisory at https://www.tenable.com/security/research/tra-2026-22 provides further details on mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge…

more

a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Vulnerability in unauthenticated public webhook handler enables direct exploitation of public-facing application (T1190) to force leakage of Twilio API credentials, directly facilitating theft of application access tokens (T1528) for account compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24772Shared CWE-345
CVE-2026-25649Shared CWE-352
CVE-2025-23467Shared CWE-352
CVE-2018-25170Shared CWE-352
CVE-2025-22336Shared CWE-352
CVE-2025-23821Shared CWE-352
CVE-2025-22582Shared CWE-352
CVE-2025-23639Shared CWE-352
CVE-2024-50858Shared CWE-352
CVE-2025-23558Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of external services like Twilio webhooks using 'X-Twilio-Signature' before processing payloads, directly preventing forged requests.

prevent

Mandates validation of information inputs including webhook signatures and 'MediaUrlN' parameters to block malicious payloads and untrusted URLs.

prevent

Monitors and controls communications at system boundaries to restrict outbound HTTP requests carrying Twilio credentials to attacker-controlled servers.

References