PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and trigger replies to attacker-controlled addresses, bypassing sender allow/block lists.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Sat, 11 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and trigger replies to attacker-controlled addresses, bypassing sender allow/block lists. | |
| Title | PraisonAI AgentMail before 4.6.78 Message Injection via Webhook | |
| First Time appeared |
Praison
Praison praisonai |
|
| Weaknesses | CWE-290 | |
| CPEs | cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Praison
Praison praisonai |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-11T13:01:01.759Z
Reserved: 2026-07-09T14:05:21.470Z
Link: CVE-2026-61428
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses