Unauthenticated SNS Webhook Forgery in Plunk
Plunk, an open-source self-hosted email marketing and transactional email platform built on AWS Simple Email Service (SES), is affected by a critical authentication bypass vulnerability tracked as CVE-2026-42193, published to the National Vulnerability Database (NVD) on May 8, 2026 with a CVSS score of 9.1 (Critical).
The vulnerability resides in the /webhooks/sns endpoint, which handles incoming Amazon Simple Notification Service (SNS) event notifications. Prior to version 0.9.0, Plunk accepted SNS notification payloads from completely unauthenticated requests without performing any validation of:
- SNS message signature — Amazon cryptographically signs all SNS messages; Plunk did not verify this signature
- SNS signing certificate — The certificate URL used to verify the signature was not validated
- Topic ARN — The SNS topic ARN in the payload was not checked against expected/allowed topics
This means any attacker who can send an HTTP POST request to a Plunk instance's /webhooks/sns endpoint can forge a valid-looking Amazon SNS notification and trigger internal email platform logic.
Vulnerability Details
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-42193 |
| CVSS Score | 9.1 (Critical) |
| Attack Vector | Network — unauthenticated, no user interaction required |
| Affected Product | Plunk email platform |
| Affected Versions | All versions prior to 0.9.0 |
| Fixed Version | 0.9.0 |
| Patch Available | Yes |
| Exploited in Wild | Not yet reported |
| Published | May 8, 2026 |
How the Vulnerability Works
Background: AWS SNS Webhooks
When Plunk is integrated with AWS SES, Amazon SNS delivers email event notifications (bounces, complaints, deliveries) to Plunk via HTTP POST requests to the /webhooks/sns endpoint. AWS signs all SNS messages with a private key and includes:
- A
Signaturefield (base64-encoded cryptographic signature) - A
SigningCertURLfield pointing to the signing certificate - A
TopicArnfield identifying the originating SNS topic
A correctly implemented webhook handler must:
- Download the certificate from
SigningCertURL - Verify the certificate is hosted on an expected Amazon domain
- Verify the message signature using the certificate's public key
- Validate the
TopicArnagainst a known-good value
The Flaw: Zero Validation
Plunk's SNS webhook handler in versions prior to 0.9.0 performed none of these checks. Any HTTP POST to /webhooks/sns with a properly structured JSON payload would be processed as if it were a legitimate Amazon SNS notification.
An attacker can craft a forged SNS payload and send it directly to the endpoint:
{
"Type": "Notification",
"TopicArn": "arn:aws:sns:us-east-1:123456789:fake-topic",
"Message": "{\"notificationType\":\"Bounce\",\"bounce\":{\"bounceType\":\"Permanent\",...}}",
"Signature": "FAKESIGNATURE",
"SigningCertURL": "https://attacker.com/fake.pem"
}Because no signature, certificate, or topic validation is performed, this payload is processed identically to a legitimate AWS notification.
Potential Impact
Successful exploitation of CVE-2026-42193 could allow an attacker to:
| Attack Scenario | Impact |
|---|---|
| Forge bounce notifications | Mark valid email addresses as permanently bounced, suppressing future legitimate emails to those addresses |
| Forge complaint notifications | Trigger complaint-handling logic that could unsubscribe users or penalize senders |
| Manipulate delivery tracking | Inject false delivery confirmations, corrupting analytics and reporting |
| Trigger internal automation | Any business logic connected to SNS events could be invoked arbitrarily |
| Denial of Service | Flood the endpoint with fake notifications to overwhelm processing queues |
The suppression of email addresses via forged bounce notifications is particularly impactful for marketing platforms: a targeted attack could silently prevent emails from reaching entire mailing lists.
Who Is Affected
Plunk is an open-source, self-hosted alternative to commercial email platforms like Mailchimp and SendGrid, designed for developers who want to manage transactional and marketing email through their own AWS SES account. Organizations running Plunk versions prior to 0.9.0 with the SNS webhook endpoint exposed to the internet are vulnerable.
The vulnerability is network-exploitable from any internet-accessible host with no authentication credentials required.
Remediation
Immediate Action Required
Upgrade Plunk to version 0.9.0 immediately. The fix implements proper SNS message signature verification including:
- Certificate URL validation — ensures
SigningCertURLpoints to anamazonaws.comdomain - Cryptographic signature verification — validates the SNS message against Amazon's signing certificate
- Topic ARN validation — checks the incoming topic against expected configured values
If Immediate Upgrade Is Not Possible
- Restrict network access to the
/webhooks/snsendpoint — limit inbound HTTP access to Amazon SNS IP ranges only (published in the AWS IP address ranges JSON, filter forAMAZONservice in your region) - Monitor the endpoint for unexpected request sources — any non-AWS IP should be treated as suspicious
- Audit recent SNS webhook logs for anomalous activity that may indicate prior exploitation
Key Takeaways
- CVE-2026-42193 is a critical authentication bypass — unauthenticated attackers can forge any Amazon SNS notification type
- The root cause is a missing validation implementation, not a complex logic flaw — SNS signature verification is a well-documented requirement
- Email suppression attacks are particularly damaging — forged bounce notifications can silently break email delivery for entire mailing lists
- Self-hosted email platforms carry significant security responsibility — organizations choosing open-source alternatives must maintain timely patching
- Fix is available in Plunk v0.9.0 — upgrade immediately if running any prior version