CVE-2026-4984

Name: CVE-2026-4984
Creator: NVD / NIST
Published: 2026-03-27T15:17:03.953+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.2/10EPSS 0.16%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.

Metrics

CVSS 3.1

8.2/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Probability

0.16%

5.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

https://www.tenable.com/security/research/tra-2026-22

Timeline

Published: Mar 27, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-4984?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST