Home / Vulnerability Intelligence / CVE-2026-42193

CVE-2026-42193 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: May 8, 2026

Plunk - Authentication Bypass

Published: May 8, 2026Updated: May 8, 2026Remote Exploitable

Overview

Plunk < 0.9.0 contains an authentication bypass caused by lack of SNS signature, certificate, and topic ARN verification in /webhooks/sns endpoint, letting unauthenticated attackers spoof SNS events to manipulate workflows and metrics, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Unauthenticated attackers can spoof SNS events to manipulate workflows, unsubscribe contacts, and exhaust billing credits.

Mitigation

Update to version 0.9.0 or later.

References

https://github.com/useplunk/plunk/releases/tag/v0.9.0
https://github.com/useplunk/plunk/security/advisories/GHSA-9792-w86v-gx53

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42193
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: new

CWE

CWE-347

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H