Back to overview

CVE-2026-61428

HIGH
7.3
CVSS 3.1
Description
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and trigger replies to attacker-controlled addresses, bypassing sender allow/block lists.

Metadata

CVE ID
CVE-2026-61428
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-09 14:05 UTC
Published
2026-07-11 13:01 UTC
Last updated
2026-07-11 13:01 UTC
Primary CWE
CWE-290
Authentication Bypass by Spoofing
Vendor / Product
MervinPraison / PraisonAI
Sources
cve.org  ·  NVD

Severity & Metrics

7.3 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products (1)
VendorProductPlatformVersions
MervinPraison PraisonAI 0 < 4.6.78, 4.6.78
Weakness (CWE)
CWESourceDescription
CWE-290 cna Authentication Bypass by Spoofing
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.3 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
References (2)
Back to overview