Plattform
other
Komponente
plunk
Behoben in
0.7.1
CVE-2026-32096 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Plunk, an open-source email platform built on AWS SES. This flaw allows an unauthenticated attacker to manipulate the server into making arbitrary HTTP GET requests to any host accessible from the server. The vulnerability affects versions of Plunk prior to 0.7.0 and has been resolved in version 0.7.0.
The SSRF vulnerability in Plunk poses a significant risk because it allows an attacker to bypass security controls and potentially access internal resources. An attacker could leverage this to scan internal networks, interact with internal APIs, or even exfiltrate sensitive data if the server has access to such resources. The lack of authentication required to trigger the SSRF makes it particularly dangerous, as any external user can exploit it. This could lead to data breaches, unauthorized access to internal systems, and potential disruption of email services.
CVE-2026-32096 was publicly disclosed on 2026-03-11. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the ease of exploitation and the potential impact, it is recommended to prioritize patching.
Organizations using Plunk for email delivery, particularly those relying on SNS webhooks for integration with other services, are at risk. Shared hosting environments where Plunk instances share network resources are also particularly vulnerable, as an attacker could potentially leverage the SSRF to access other services on the same host.
• other / generic web: Use curl to test for outbound request exposure. Check SNS webhook handler configuration for overly permissive settings.
curl -v https://your-plunk-instance.com/sns/webhook• other / generic web: Examine access and error logs for unusual outbound HTTP requests originating from the Plunk server.
grep -i 'http://' /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32096 is to immediately upgrade Plunk to version 0.7.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the Plunk server using a firewall or network segmentation. Additionally, carefully review and validate any data received from external sources, particularly SNS webhooks, to prevent malicious payloads from being processed. After upgrading, confirm the fix by attempting to trigger an SNS webhook with a crafted URL pointing to an internal resource; the request should be blocked.
Aktualisieren Sie Plunk auf Version 0.7.0 oder höher. Diese Version behebt die SSRF-Schwachstelle im SNS-Webhook-Handler. Das Update verhindert, dass nicht authentifizierte Angreifer beliebige HTTP GET-Anfragen von ihrem Server aus senden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32096 is a critical SSRF vulnerability in Plunk email platform versions less than or equal to 0.7.0, allowing unauthenticated attackers to make arbitrary outbound HTTP requests.
You are affected if you are using Plunk version 0.7.0 or earlier and rely on SNS webhooks. Upgrade to 0.7.0 to mitigate the risk.
Upgrade Plunk to version 0.7.0 or later. As a temporary workaround, implement network segmentation and WAF rules to restrict outbound requests.
There is no confirmed active exploitation of CVE-2026-32096 at this time, but the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the Plunk project's official release notes and security advisories on their GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.